- Daily - CERT.at

Tageszusammenfassung - 10.10.2017
by Daily end-of-shift report 10 Oct '17

10 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 09-10-2017 18:00 − Dienstag 10-10-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ATMii Malware Makes Windows 7 and Windows Vista ATMs Spit Out Cash ∗∗∗ --------------------------------------------- Security researchers have discovered a new ATM malware strain named ATMii that targets only ATMs running on Windows 7 and Windows Vista. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atmii-malware-makes-windows-… ∗∗∗ Changes in Password Best Practices ∗∗∗ --------------------------------------------- NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they dont help that much. Its better to allow people to use pass phrases.Stop it with password expiration. That was an old idea for an old way we used [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html ∗∗∗ The Absurdly Underestimated Dangers of CSV Injection ∗∗∗ --------------------------------------------- In some ways this is old news, but in other ways…well, I think few realize how absolutely devastating and omnipresent this vulnerability can be. It is an attack vector available in every application I’ve ever seen that takes user input and allows administrators to bulk export to CSV. --------------------------------------------- http://georgemauer.net/2017/10/07/csv-injection.html ∗∗∗ Financial Times bekämpft Werbebetrug ∗∗∗ --------------------------------------------- Millionenverluste durch Domain-Spoofing: Werbenetzwerke verkauften Videowerbung für Leser der Financial Times, die aber tatsächlich auf anderen Websites ausgespielt wurde. --------------------------------------------- https://www.heise.de/newsticker/meldung/Financial-Times-bekaempft-Werbebetr… ∗∗∗ Google-Analyse: Microsoft patcht Windows 7/8 teilweise nicht ∗∗∗ --------------------------------------------- Forscher von Google haben nachgewiesen, dass Microsoft Sicherheitslücken in Windows 10 behoben hat, die gleichen Lücken in Windows 7 und 8 jedoch offen ließ. Patches kamen erst, als die Veröffentlichung durch Project Zero drohte. --------------------------------------------- https://heise.de/-3852695 ∗∗∗ Über 37.000 Chrome-Nutzer installierten gefälschte Adblock-Plus-Extension ∗∗∗ --------------------------------------------- Die Browser-Erweiterung Adblock Plus soll vor Werbung und Schadcode schützen. Eine kürzlich aus dem Chrome Web Store entfernte Extension gleichen Namens führte das genaue Gegenteil im Schilde. Im Zweifel ist eine Neuinstallation ratsam. --------------------------------------------- https://heise.de/-3854625 ∗∗∗ Sicherheits-App der Erste Bank ist Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Erste Bank und Sparkasse-Nachricht. Darin behaupten sie, dass das Konto von Kund/innen eingeschränkt worden sei und sie zur weiteren Benutzung eine Sicherheits-App installieren müssen. Die angebliche Sicherheits-App ist Schadsoftware. Wer sie isntalliert, ermöglicht Kriminellen Zugriff auf das eigene Konto. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/sicherheits-app-der-erste-b… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Security Patch Day – October 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/10/10/sap-security-patch-day-october-2017/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Host On-Demand ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009289 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and Client Management Services (CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009293 ∗∗∗ IBM Security Bulletin: WebSphere Application Server Edge Caching Proxy may be vulnerable to HTTP response splitting (CVE-2017-1503) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006815 ∗∗∗ IBM Security Bulletin: Open Source Apache Cordova Android Vulnerabilities affect IBM Worklight and IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000350 ∗∗∗ IBM Security Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008829 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2017
by Daily end-of-shift report 09 Oct '17

09 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-10-2017 18:00 − Montag 09-10-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitssoftware: Schlangenöl oder notwendiges Übel? ∗∗∗ --------------------------------------------- Als Schlangenöl wurden in Zeiten des Wilden Westens vorwiegend medizinische Produkte und Hilfsmittel bezeichnet, deren Wirkung wenig bis keinen Ursprung in den darin verwendeten Zutaten hatte oder schlicht nicht existent war. Der Begriff wird mittlerweile auch im Software-Kontext für Produkte verwendet, die mehr versprechen, als sie halten können. Besonders .. --------------------------------------------- https://www.dfn-cert.de/aktuell/sicherheitssoftware-schlangenoel.html ∗∗∗ Foren-Tool Disqus gehackt: 17,5 Millionen User betroffen ∗∗∗ --------------------------------------------- Der Vorfall, bei dem Usernamen und Passwörter abgegriffen wurden, ereignete sich bereits vor fünf Jahren. Disqus will bis jetzt nichts davon gewusst haben. --------------------------------------------- https://futurezone.at/digital-life/foren-tool-disqus-gehackt-17-5-millionen… ∗∗∗ Passwortmanager im Vergleich: Das letzte Passwort, das du dir jemals merken musst ∗∗∗ --------------------------------------------- Menschen scheinen nicht dafür gemacht, sich sehr viele komplizierte Passwörter zu merken. Abhilfe schaffen Passwortmanager. Wir haben die Lösungen von Keepass, Lastpass, 1Password und Dashlane verglichen - und bei allen Stärken gefunden. --------------------------------------------- https://www.golem.de/news/passwortmanager-im-vergleich-das-letzte-passwort-… ∗∗∗ After selling his site for millions, founder hacked it for a second payday ∗∗∗ --------------------------------------------- Rigzone founder sentenced for data duplication scheme "Operation Resume Hoard" was going well. Initiated around April 1, 2015, it represented David W. Kents plan to build the membership of his oil and gas industry .. --------------------------------------------- www.theregister.co.uk/2017/10/07/after_selling_site_for_millions_founder_ha… ∗∗∗ Dnsmasq: A Reality Check and Remediation Practices ∗∗∗ --------------------------------------------- Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/dnsmasq-reality-… ∗∗∗ John Kellys Hacked Phone Could Be a Major National Security Issue ∗∗∗ --------------------------------------------- When the former head of the Department of Homeland Security and current White House Chief of Staffs personal smartphone gets hacked, nothing good can happen. --------------------------------------------- https://www.wired.com/story/john-kelly-hacked-phone ∗∗∗ TLS 1.3: Security-Devices verhindern die Einführung ∗∗∗ --------------------------------------------- Alle Security-Experten sind sich einig, dass der Standard TLS 1.3 ein deutlicher Schritt zu mehr Sicherheit im Internet wäre. Doch ausgerechnet Security-Devices, die Verschlüsselung aufbrechen, verhindern die Einführung auf nicht absehbare Zeit. --------------------------------------------- https://heise.de/-3852819 ∗∗∗ Testing Security Keys ∗∗∗ --------------------------------------------- http://www.imperialviolet.org/2017/10/08/securitykeytest.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3993 tor - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3993 ∗∗∗ DSA-3994 nautilus - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3994 ∗∗∗ Symantec Endpoint Encryption / Symantec Encryption Desktop DoS ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… ∗∗∗ HPESBHF03777 rev.2 - HPE Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2017
by Daily end-of-shift report 06 Oct '17

06 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-10-2017 18:00 − Freitag 06-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers Hijack Ongoing Email Conversations to Insert Malicious Documents ∗∗∗ --------------------------------------------- A group of hackers is using a sophisticated technique of hijacking ongoing email conversations to insert malicious documents that appear to be coming from a legitimate source and infect other targets participating in the same conversational thread. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-ongoing-email… ∗∗∗ IT-Sicherheit: Für das FBI Botnetze ausschalten ∗∗∗ --------------------------------------------- Der deutsche IT-Sicherheitsforscher Tillmann Werner hat der US-Behörde FBI geholfen, einen gefährlichen Hacker zu jagen. --------------------------------------------- https://www.golem.de/news/it-sicherheit-fuer-das-fbi-botnetze-ausschalten-1… ∗∗∗ Geheimdienste: Wenn Hacker Hacker hacken, scheitert die Attribution ∗∗∗ --------------------------------------------- Einen Hack bis zu seinem Ursprung zurückzuverfolgen, gilt im IT-Sicherheitsbereich als schwieriges Geschäft. Neue Forschungen von Kaspersky zeigen, dass die Situation noch verfahrener ist, als bislang angenommen. --------------------------------------------- https://www.golem.de/news/geheimdienste-wenn-hacker-hacker-hacken-scheitert… ∗∗∗ Whats in a cable? The dangers of unauthorized cables, (Fri, Oct 6th) ∗∗∗ --------------------------------------------- As data speeds have increased over the last few years, and interface ports have become more and more multi-functioning and integrated, cables have started to pose a very particular and real danger. So far, they often have been ignored and considered "dumb wires". But far from that, many cables these days hold logic chips of their own and in some cases even upgradable (replaceable) firmware. --------------------------------------------- https://isc.sans.edu/diary/rss/22904 ∗∗∗ Dumb bug of the week: Apples macOS reveals your encrypted drives password in the hint box ∗∗∗ --------------------------------------------- High Sierra update derided by devs as half-baked | Apple on Thursday released a security patch for macOS High Sierra 10.13 to address vulnerabilities in Apple File System (APFS) volumes and its Keychain software. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/apple_patch… ∗∗∗ Wenn Facebook-Freund/innen nach Geld fragen ∗∗∗ --------------------------------------------- Nachdem Facebook-Konten erfolgreich gehackt wurden, versuchen Betrüger daraus Kapital zu schlagen. Aus diesem Grund schreiben sie Kontakte an und erfinden Geschichten, um an schnelles Geld zu kommen. Um kein Opfer dieser Masche zu werden, sollte den Inhalten nicht leichtfertig geglaubt werden. --------------------------------------------- https://www.watchlist-internet.at/facebook-betrug/wenn-facebook-freundinnen… ∗∗∗ Cyber-Sicherheit am Arbeitsplatz: Persönliche Daten im Internet schützen ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/ECSM_BSI_06… ===================== = Vulnerabilities = ===================== ∗∗∗ GE CIMPLICITY ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in GEs CIMPLICITY. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-278-01 ∗∗∗ ZDI-17-838: (0Day) Microsoft Windows WAV File Uninitialized Pointer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to cause a denial-of-service condition on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-838/ ∗∗∗ DFN-CERT-2017-1757: Ruby: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1757/ ∗∗∗ HPESBHF03786 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Notes ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009253 ∗∗∗ IBM Security Bulletin: Multiple DB2 vulnerabilities affect IBM Spectrum Protect (formerly Tivoli Storage Manger) Server (CVE-2017-1105, CVE-2017-1297) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22009194 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Open Source zlib affect IBM Netezza SQL Extensions ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001212 ∗∗∗ Linux kernel vulnerability CVE-2017-14106 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K62178133 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2017
by Daily end-of-shift report 05 Oct '17

05 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-10-2017 18:00 − Donnerstag 05-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mozilla to End All Firefox Support for XP and Vista in June 2018 ∗∗∗ --------------------------------------------- Mozilla announced today plans to discontinue any support for the Firefox browser on Windows XP and Vista in June 2018. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/software/mozilla-to-end-all-firefox-s… ∗∗∗ Avast: Ccleaner-Malware hat drei Stufen und verschont 64-Bit-PCs ∗∗∗ --------------------------------------------- Die Malware in einer Ccleaner-Version hatte mindestens drei Stufen - von der ersten waren 1,65 Millionen Personen betroffen. Wer ein 64-Bit-Windows nutzt, soll allerdings nichts zu befürchten haben. --------------------------------------------- https://www.golem.de/news/avast-ccleaner-malware-hat-drei-stufen-und-versch… ∗∗∗ Security Awareness Month: How to Help Friends and Family, (Wed, Oct 4th) ∗∗∗ --------------------------------------------- For the last few years, October has been "Security Awareness Month", with various organizations using it to promote security awareness. We have done a few "themed" diaries around security awareness in past years, but for the most part, there isn't that much new to say for our core audience. Security awareness is however still a big issue for the rest of humanity, and if you are looking for advice to help friends and family become more security-aware, then the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22896 ∗∗∗ SYSCON Backdoor Uses FTP as a C&C Channel ∗∗∗ --------------------------------------------- Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Mw_aCJ0nNos/ ∗∗∗ Common Sense in EDI Security ∗∗∗ --------------------------------------------- [...] Looking at these examples, we can see that security is a process, a chain of events; for security measures to succeed, every link in the chain of events must be as secure as possible. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/common-… ∗∗∗ Outsmarting grid security threats ∗∗∗ --------------------------------------------- Almost two-thirds (63 percent) of utility executives believe their country faces at least a moderate risk of electricity supply interruption from a cyberattack on electric distribution grids in the next five years. The Accenture survey of more than 100 utilities executives from over 20 countries revealed interruptions to the power supply from cyberattacks is the most serious concern, cited by 57 percent of respondents. Just as worrying is the physical threat to the distribution grid. --------------------------------------------- https://www.helpnetsecurity.com/2017/10/05/grid-security-threats/ ∗∗∗ PoC for several Magento vulnerabilities released, update now! ∗∗∗ --------------------------------------------- DefenseCode has published proof of concept code for two CSRF and stored XSS vulnerabilities affecting a number of versions of the popular e-commerce platform Magento. Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop. About the vulnerabilities Security researcher Bosko Stankovic discovered the security flaws during a security audit of Magento [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/05/magento-vulnerability-poc-code/ ===================== = Vulnerabilities = ===================== ∗∗∗ iManager 3.0.4 ∗∗∗ --------------------------------------------- Abstract: This patch addresses important issues found since the original release of iManager 3.0. --------------------------------------------- https://download.novell.com/Download?buildid=r_GBmD8A9cU~ ∗∗∗ eDirectory 9.0.4 ∗∗∗ --------------------------------------------- Abstract: This update is being provided to resolve important issues found since the original release of Novell eDirectory 9.0. --------------------------------------------- https://download.novell.com/Download?buildid=WKnTKcctISw~ ∗∗∗ Apple security update for watchOS ∗∗∗ --------------------------------------------- watchOS 4.0.1 includes the security content of watchOS 4 and is available for Apple Watch Series 3 (GPS + Cellular). --------------------------------------------- https://support.apple.com/en-us/HT208163 ∗∗∗ DFN-CERT-2017-1736: Digium Asterisk, Digium Certified Asterisk: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1736/ ∗∗∗ DFN-CERT-2017-1750: cURL: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1750/ ∗∗∗ DFN-CERT-2017-1755: Sophos UTM Manager: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1755/ ∗∗∗ Cisco Security Advisories and Alerts ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-971654 (Last Update 2017-10-05): Authentication Bypass in 7KT PAC1200 Data Manager from the SENTRON Portfolio ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-971654… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2017
by Daily end-of-shift report 04 Oct '17

04 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-10-2017 18:00 − Mittwoch 04-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Announces New Tool to Investigate Memory Corruption Bugs ∗∗∗ --------------------------------------------- Microsoft announced yesterday a new tool that automates the process of detecting the root cause of memory corruption issues. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-new-too… ∗∗∗ New Rowhammer Attack Bypass Previously Proposed Countermeasures ∗∗∗ --------------------------------------------- Security researchers have come up with a variation of the Rowhammer attack that bypasses all previously proposed countermeasures. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rowhammer-attack-bypass-… ∗∗∗ Website Hosting: Security Awareness Can Reduce Costs ∗∗∗ --------------------------------------------- Website hosting security has matured in recent years. Naturally, the types of security issues have changed because of it. For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers, but this isn’t really a huge threat today. However, malware attacks and other website security-related issues at the account level are still very real problems – just ask anyone who has had their website defaced, redirected, or [...] --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/3W5Ls3JO36o/website-hosting-s… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3991 qemu - security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities were found in qemu, a fast processor emulator: --------------------------------------------- https://www.debian.org/security/2017/dsa-3991 ∗∗∗ Apple Releases Security Update for iOS ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 Apple has released iOS 11.0.2 to address vulnerabilities in previous versions of iOS. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apple-Releases-Sec… ∗∗∗ Apache Releases Security Updates for Apache Tomcat ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 The Apache Software Foundation has released Apache Tomcat 9.0.1 and 8.5.23 to address a vulnerability in previous versions of the software. A remote attacker could exploit this vulnerability to take control of an affected server. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Apache-Releases-Se… ∗∗∗ Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Integrated Management Controller Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Advisories ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Linux kernel vulnerability CVE-2017-14489 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71796229 ∗∗∗ HPESBMU03753 rev.2 - HPE System Management Homepage for Windows and Linux, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03782 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03776 rev.1 - HPE Intelligent Management Center (iMC) Service Operation Management (SOM), Remote Arbitrary File Download ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03778 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03777 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ HPESBHF03781 rev.1 - HPE intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2017
by Daily end-of-shift report 03 Oct '17

03 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Montag 02-10-2017 18:00 − Dienstag 03-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Three WordPress Plugin Zero-Days Exploited in the Wild ∗∗∗ --------------------------------------------- Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/three-wordpress-plugin-zero-… ∗∗∗ Security Bugs in Dnsmasq Affect Computers, Smartphones, Routers, IoT Devices ∗∗∗ --------------------------------------------- Security researchers at Google have found seven security bugs in the Dnsmasq application that put an inestimable number of desktops, servers, smartphones, routers, and other IoT devices at risk of hacking. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-bugs-in-dnsmasq-aff… ∗∗∗ Cyber Security Challenge: Das Team Austria steht fest ∗∗∗ --------------------------------------------- Nach dem Finale ist vor dem Finale: Die Sieger der Austria Cyber Security Challenge trainieren jetzt für den Sieg im europäischen Hacker-Wettbewerb. --------------------------------------------- https://futurezone.at/digital-life/cyber-security-challenge-das-team-austri… ∗∗∗ Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices ∗∗∗ --------------------------------------------- Netgear patches over a dozen vulnerabilities impacting its routers, switches and NAS devices. --------------------------------------------- http://threatpost.com/netgear-fixes-50-vulnerabilities-in-routers-switches-… ∗∗∗ E-Mail Tracking ∗∗∗ --------------------------------------------- Interesting survey paper: on the privacy implications of e-mail tracking: Abstract: We show that the simple act of viewing emails contains privacy pitfalls for the unwary. We assembled a corpus of commercial mailing-list emails, and find a network of hundreds of third parties that track email recipients via methods such as embedded pixels. About 30% of emails leak the recipients email address to one or more of these third parties when they are viewed. In the majority of cases, these leaks are [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/10/e-mail_tracking.html ∗∗∗ Outdated vendor systems leaving finance industry at risk ∗∗∗ --------------------------------------------- BitSight data scientists found that in most cases, companies in the finance industry supply chain are not meeting the same security standards that finance companies hold for their own organizations. The spread of BitSight Security Ratings amongst Finance Firms and monitored Legal, Technology, and Business Services organizations as of September 1st, 2017. "While finance organizations tend to have more sophisticated vendor risk management programs, there is a lot of work to be done to close [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/10/03/outdated-vendor-systems/ ∗∗∗ Threat Hunting Part 2: Hunting on ICS Networks ∗∗∗ --------------------------------------------- In this edition of the Dragos Threat Hunting on ICS network series, we will compare threat hunting on industrial networks with concepts from the wider threat hunting community. We will also look at how the unique characteristics of industrial networks can be used to an advantage as network defense professionals [...] --------------------------------------------- https://dragos.com/blog/20170927-ThreatHuntingSeriesPart2.html ===================== = Vulnerabilities = ===================== ∗∗∗ Dnsmasq Contains Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Original release date: October 03, 2017 Dnsmasq versions 2.77 and prior contain multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/10/03/Dnsmasq-Contains-M… ∗∗∗ Android Security Bulletin—October 2017 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2017-10-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2017
by Daily end-of-shift report 02 Oct '17

02 Oct '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-09-2017 18:00 − Montag 02-10-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Mobile Forensics Process: Steps & Types ∗∗∗ --------------------------------------------- Introduction: Importance of Mobile Forensics The term "mobile devices" encompasses a wide array of gadgets ranging from mobile phones, smartphones, tablets, and GPS units to wearables and PDAs. What they all have in common is the fact that they can contain a lot of user information. Mobile devices are right in the middle of three[...] --------------------------------------------- http://resources.infosecinstitute.com/mobile-forensics-process-steps-types/ ∗∗∗ Investigating Security Incidents with Passive DNS, (Mon, Oct 2nd) ∗∗∗ --------------------------------------------- Sometimes when you need to investigate a security incident or to check for suspicious activity, you become frustrated because the online resource that youre trying to reach has already been cleaned. We cannot blame system administrators and webmasters who are just doing their job. If some servers or websites remains compromised for weeks, others are very quickly restored/patched/cleaned to get rid of the malicious content. Its the same for domain names. Domains registered only for malicious [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22886 ∗∗∗ DNSSEC Key Signing Key Rollover Postponed ∗∗∗ --------------------------------------------- Original release date: September 29, 2017 The Internet Corporation for Assigned Names and Numbers (ICANN) has announced that the change to the Root Zone Key Signing Key (KSK) scheduled for October 11, 2017, has been postponed. A new date for the Key Roll has not yet been determined.DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/09/29/DNSSEC-Key-Signing… ∗∗∗ European Cyber Security Month: United against Cyber Security Threats ∗∗∗ --------------------------------------------- October 2017 is European Cyber Security Month and this year marks the 5th year anniversary of the European Cyber Security Month campaign. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/european-cyber-security-month-u… ∗∗∗ Good Analysis = Understanding(tools + logs + normal) ∗∗∗ --------------------------------------------- We had a reader send an email in a couple of weeks ago asking about understanding the flags field when looking at data in a report. He didnt understand what the "flags" were referring to or what the actual flags mean. "They don’t appear related to TCP header flags like I’ve normally seen...S is the most common but I occasionally see RSA, RUS and a few others." --------------------------------------------- https://isc.sans.edu/forums/diary/Good+Analysis+Understandingtools+logs+nor… ===================== = Vulnerabilities = ===================== ∗∗∗ eDirectory 9.0.4 ∗∗∗ --------------------------------------------- Abstract: This update is being provided to resolve important issues found since the original release of Novell eDirectory 9.0. --------------------------------------------- https://download.novell.com/Download?buildid=WKnTKcctISw~ ∗∗∗ iManager 3.0.4 ∗∗∗ --------------------------------------------- Abstract: This patch addresses important issues found since the original release of iManager 3.0. --------------------------------------------- https://download.novell.com/Download?buildid=r_GBmD8A9cU~ ∗∗∗ XSA-245 ARM: Some memory not scrubbed at boot ∗∗∗ --------------------------------------------- Impact: Sensitive information from one domain before a reboot might be visible to another domain after a reboot. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-245.html ∗∗∗ Vuln: SolarWinds Network Performance Monitor CVE-2017-9538 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/101066 ∗∗∗ DFN-CERT-2017-1723: GitLab: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebiger Befehle ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1723/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SSA-535640 (Last Update 2017-10-02): Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640… ∗∗∗ HPESBMU03753 rev.2 - HPE System Management Homepage for Windows and Linux, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2017
by Daily end-of-shift report 29 Sep '17

29 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-09-2017 18:00 − Freitag 29-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Macs Not Receiving EFI Firmware Security Updates as Expected ∗∗∗ --------------------------------------------- Researchers at Duo Security are expected today at Ekoparty to reveal data and a paper that shows Mac users are not receiving EFI firmware updates at expected. --------------------------------------------- http://threatpost.com/macs-not-receiving-efi-firmware-security-updates-as-e… ∗∗∗ ICANN Postpones Scheduled DNS Crypto Key Rollover ∗∗∗ --------------------------------------------- ICANN, the overseer of the Internet’s namespace, announced this week that it was postponing a scheduled change to the cryptographic key that protects the Domain Name System. --------------------------------------------- http://threatpost.com/icann-postpones-scheduled-dns-crypto-key-rollover/128… ∗∗∗ Fake Plugins, Fake Security ∗∗∗ --------------------------------------------- Update: The plugin name is fake and has nothing to do with well-known WP-SpamShield plugin in the official WordPress plugin repository. WordPress users are becoming increasingly more aware of security threats and as a result they are taking more actions to secure their websites (e.g. by installing security plugins). While this is a good thing, there are always black hats trying to take an advantage of new opportunities to compromise websites. --------------------------------------------- https://blog.sucuri.net/2017/09/fake-plugins-fake-security.html ∗∗∗ WiNX: The Ultra-Portable Wireless Attacking Platform ∗∗∗ --------------------------------------------- When you are performing penetration tests for your customers, you need to build your personal arsenal. Tools, pieces of hardware and software are collected here and there depending on your engagements to increase your toolbox. To perform Wireless intrusion tests, I’m a big fan of the WiFi Pineapple. I’ve one for [...] --------------------------------------------- https://blog.rootshell.be/2017/09/28/winx-ultra-portable-wireless-attacking… ∗∗∗ Anonymisierung: Sicherheitsupdates für Tor Browser und Tails ∗∗∗ --------------------------------------------- Der Tor Browser setzt nun auf eine abgesicherte Version von Firefox ESR. In Tails haben die Entwickler diverse Sicherheitslücken, darunter BlueBorne, geschlossen und raten zu einer zügigen Aktualisierung. --------------------------------------------- https://heise.de/-3847033 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3985 chromium-browser - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the chromium web browser. --------------------------------------------- https://www.debian.org/security/2017/dsa-3985 ∗∗∗ DSA-3985 chromium-browser - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3985 ∗∗∗ DFN-CERT-2017-1713: OpenVPN: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1713/ ∗∗∗ IBM Security Bulletin: IBM WebSphere Commerce has a vulnerability in Marketing ESpots that could cause a denial of service (CVE-2017-1569) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008547 ∗∗∗ IBM Security Bulletin: eDiscovery Manager is affected by an Open Source Apache POI Vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005630 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, Business Process Manager, IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000343 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM Cloud Orchestrator (CVE-2017-1159) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000328 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-8919) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000322 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2017
by Daily end-of-shift report 28 Sep '17

28 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-09-2017 18:00 − Donnerstag 28-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat Landscape for Industrial Automation Systems in H1 2017 ∗∗∗ --------------------------------------------- Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017. --------------------------------------------- http://securelist.com/threat-landscape-for-industrial-automation-systems-in… ∗∗∗ Incident Response Database ∗∗∗ --------------------------------------------- Incidents often require us to rapidly identify which incident response team is responsible for a particular network, corporation or country. FIRST is developing an automated method to access information on Computer Security Incident Response Teams (CSIRT) and other types of incident handling organizations. --------------------------------------------- https://www.first.org/global/irt-database ∗∗∗ Illusion Gap – Antivirus Bypass Part 1 ∗∗∗ --------------------------------------------- Imagine a situation where you double-click a file and Windows loads that file, but your Antivirus scans another file or even scans nothing at all. Sounds weird, right? Depends on who you ask; [...] --------------------------------------------- https://www.cyberark.com/threat-research-blog/illusion-gap-antivirus-bypass… ===================== = Vulnerabilities = ===================== ∗∗∗ DFN-CERT-2017-1706: Cisco IOS, Cisco IOS XE: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Cisco IOS und IOS XE, ermöglichen einem entfernten, nicht authentisierten Angreifer das Umgehen von Sicherheitsvorkehrungen, was in einem Fall dazu führen kann, dass der Angreifer die vollständige Kontrolle über ein System erlangen kann, das Ausspähen von Informationen sowie die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe. Ein entfernter, einfach authentisierter Angreifer kann [...] --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1706/ ∗∗∗ ZDI-17-829: Trend Micro OfficeScan tmwfp Memory Corruption Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-829/ ∗∗∗ ZDI-17-828: Trend Micro OfficeScan tmwfp Memory Corruption Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-828/ ∗∗∗ IBM Security Bulletin: Smart Cloud Entry is affected by ISC BIND vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025663 ∗∗∗ IBM Security Bulletin: Open Source GNU glibc Vulnerabilities which is used by IBM OS Images for RedHat Linux in IBM PureApplication Systems (CVE-2017-1000366) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008527 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010641 ∗∗∗ IBM Security Bulletin: Open Source Samba Samba Vulnerabilities which is used by IBM OS Images for RedHat Linux in IBM PureApplication Systems (CVE-2017-7494) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007631 ∗∗∗ IBM Security Bulletin: Cross-site Scripting vulnerabilities affect Rational Engineering Lifecycle Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008785 ∗∗∗ IBM Security Bulletin: IBM Insights Foundation for Energy has vulnerabilites to SQL injection and cross-site scripting ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22009039 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008391 ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2017-3511 in IBM Java SDK affects IBM Process Designer used in IBM Business Process Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008324 ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by an OpenSSL vulnerability (CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008918 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Planning Analytics Local ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008584 ∗∗∗ SSA-856721 (Last Update 2017-09-28): Vulnerability in Ruggedcom Discovery Protocol (RCDP) of Industrial Communication Devices ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856721… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2017
by Daily end-of-shift report 27 Sep '17

27 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-09-2017 18:00 − Mittwoch 27-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Another Banking Trojan Adds Support for NSAs EternalBlue Exploit ∗∗∗ --------------------------------------------- A third banking trojan has added support for EternalBlue, an exploit supposedly created by the NSA, leaked online by the Shadow Brokers, and the main driving force behind the WannaCry and NotPetya ransomware outbreaks. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/another-banking-trojan-adds-… ∗∗∗ Broadcom Wireless: Google veröffentlicht Exploit für iPhone 7 ∗∗∗ --------------------------------------------- Google hat einen Exploit für erneute Probleme in Broadcom-WLAN-Chips veröffentlicht. Betroffen von dem Fehler sind das iPhone 7, aber auch Android-Geräte. Für Apple ist das eine gute Botschaft. --------------------------------------------- https://www.golem.de/news/broadcom-wireless-google-veroeffentlicht-exploit-… ∗∗∗ Nach Hack: Viele Deloitte-Systeme im Internet auffindbar ∗∗∗ --------------------------------------------- Angebliche Zugangsdaten für Deloitte-Systeme sind aufgetaucht, wo sie nicht sein sollten: bei Github und auf Google Plus. Außerdem haben Sicherheitsforscher zahlreiche Systeme des Unternehmens im Netz gefunden - mit offenen Ports für SMB und RDP. --------------------------------------------- https://www.golem.de/news/nach-hack-viele-deloitte-systeme-im-internet-auff… ∗∗∗ Security baseline for Windows 10 "Fall Creators Update" (v1709) – DRAFT ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for Windows 10 "Fall Creators Update," also known as version 1709, "Redstone 3," or RS3. Please evaluate this proposed baseline and send us your feedback via blog comments below. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-f… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-3984 git - security update ∗∗∗ --------------------------------------------- joernchen discovered that the git-cvsserver subcommand of Git, adistributed version control system, suffers from a shell commandinjection vulnerability due to unsafe use of the Perl backtickoperator. The git-cvsserver subcommand is reachable from thegit-shell subcommand even if CVS support has not been configured(however, the git-cvs package needs to be installed). --------------------------------------------- https://www.debian.org/security/2017/dsa-3984 ∗∗∗ Authentication Bypass Vulnerability in the Management Interface of Citrix NetScaler SD-WAN/CloudBridge 4000, 4100, 5000 and 5100 WAN Optimization Edition Appliances ∗∗∗ --------------------------------------------- A vulnerability has been identified in the management interface of the Citrix NetScaler SD-WAN/CloudBridge 4000, 4100, 5000 and 5100 WAN Optimization Edition appliances. This vulnerability, if exploited, could allow an attacker with access to the management interface of the appliance’s NetScaler ADC instance to gain administrative access to the instance. --------------------------------------------- https://support.citrix.com/article/CTX228091 ∗∗∗ SAP Enterprise Portal and Clients Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017090219 ∗∗∗ ZDI-17-812: (0Day) EMC Data Protection Advisor ScheduledReportResource Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-812/ ∗∗∗ iOS 11.0.1 Security Update ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208143 ∗∗∗ IBM Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008902 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cloud Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025664 ∗∗∗ HPESBMU03753 rev.1 - HPE System Management Homepage, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2017
by Daily end-of-shift report 26 Sep '17

26 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 25-09-2017 18:00 − Dienstag 26-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke in Google für Datendiebstahl genutzt ∗∗∗ --------------------------------------------- Eine spezielle Technik um Webseiten auf mobilen Geräten schneller zu laden, wird von Cyberkriminellen missbraucht, um investigative Journalisten auszuspionieren. --------------------------------------------- https://futurezone.at/digital-life/sicherheitsluecke-in-google-fuer-datendi… ∗∗∗ MacOS High Sierra: MacOS-Keychain kann per App ausgelesen werden ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Patrick Wardle hat demonstriert, dass Apples Keychain unter MacOS mit einer App komplett ausgelesen werden kann. Diese muss aber zunächst an Apples Gatekeeper vorbei. --------------------------------------------- https://www.golem.de/news/macos-high-sierra-macos-keychain-kann-per-app-aus… ∗∗∗ "Preparing for Cyber Security Incidents" ∗∗∗ --------------------------------------------- Talk with any incident responder and youll learn that there are a few less glamorous parts of the job. Writing the final report and preparation in advance to an incident are probably top contenders. In this article I want to focus on preparation and explain to [...] --------------------------------------------- http://ics.sans.org/blog/2017/09/26/preparing-for-cyber-security-incidents ∗∗∗ An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks ∗∗∗ --------------------------------------------- Infecting automated teller machines (ATMs) with malware is nothing new. It’s concerning, yes. But new? Not really. We’ve been seeing physical attacks against ATMs since 2009. By physical, we mean opening the target machine’s casing, accessing the motherboard and connecting USB drives or CD-ROMs in order to infect the operating system. Once infected, the ATM is at the attackers’ mercy, which normally means that they are able to empty the money cassettes and walk away with [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/GLIB-nW2ilE/ ∗∗∗ Achtung vor neuer Betrugsmasche: Betrüger ergaunern telefonisch Bitcoin Ladebons ∗∗∗ --------------------------------------------- Das Bundeskriminalamt (BK) warnt vor einem bekannten, aber neu adaptierten Betrugsphänomen, bei dem Inhaber und Angestellte von Trafiken, Tankstellen und Postpartnerstellen via Telefon von Betrügern aufgefordert werden, die Codes der Bitcoin Ladebons bekannt zu geben. Die Polizei informiert. --------------------------------------------- http://www.bmi.gv.at/cms/bk/_news/start.aspx?id=47476E2B724F38597A506B3D&pa… ∗∗∗ Source: Deloitte Breach Affected All Company Email, Admin Accounts ∗∗∗ --------------------------------------------- Deloitte, one of the worlds "big four" accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted "very few" clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloittes entire internal email system. --------------------------------------------- https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-com… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Security Updates ∗∗∗ --------------------------------------------- macOS Server 5.4: https://support.apple.com/kb/HT208102 iTunes 12.7 for Windows: https://support.apple.com/kb/HT208141 iTunes 12.7: https://support.apple.com/kb/HT208140 macOS High Sierra 10.13: https://support.apple.com/kb/HT208144 iCloud for Windows 7.0: https://support.apple.com/kb/HT208142 --------------------------------------------- ∗∗∗ Solarwinds LEM Insecure Update Process ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017090206 ∗∗∗ FLIR Systems FLIR Thermal Camera - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ IBM Security Bulletin: Vulnerability in system log on IBM DataPower Gateways WebGUI console (CVE-2017-1591) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008815 ∗∗∗ IBM Security Bulletin: Path Traversal Vulnerability in IBM WebSphere Portal (CVE-2017-1577) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008586 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Web Experience Factory ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007912 ∗∗∗ IBM Security Bulletin: Vulnerability in Node.js affects IBM DataPower Gateways (CVE-2017-11499) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008629 ∗∗∗ IBM Security Bulletin: RMI Dispatcher port used by Security Identity Adapters is not authenticated by default ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007375 ∗∗∗ IBM Security Bulletin: Security Identity Adapter attribute input is not protected against command injection ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007377 ∗∗∗ IBM Security Bulletin: Vulnerability in XDR affects IBM DataPower Gateways (CVE-2017-8804) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008628 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2017
by Daily end-of-shift report 25 Sep '17

25 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-09-2017 18:00 − Montag 25-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Securing The Supply Chain Is As Important As Securing The Front Door ∗∗∗ --------------------------------------------- Today most organisations rely on a number of suppliers for providing services to their customers. Supply chain plays a key role within an organisation allowing them to innovate, create new products or services, increase their profitability and compete with other organisations. To be able to do so, organisations need to allow suppliers to connect to their systems/applications and also allow exchange of sensitive information with their suppliers and partners. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/securing-the-supply-ch… ∗∗∗ 7% of All Amazon S3 Servers Are Exposed, Explaining Recent Surge of Data Leaks ∗∗∗ --------------------------------------------- During the past year, there has been a surge in data breach reporting regarding Amazon S3 servers left accessible online, and which were exposing private information from all sorts of companies and their customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/7-percent-of-all-amazon-s3-s… ∗∗∗ Krypto-Trojaner RedBoot infiziert MBR und zerstört Dateien ∗∗∗ --------------------------------------------- Eine neue Ransomware treibt ihr Unwesen im Master Boot Record von Windows-PCs. Darüber hinaus verschlüsselt sie auch Dateien – ohne jedoch einen Weg zur Entschüsselung zu bieten. --------------------------------------------- https://heise.de/-3840923 ∗∗∗ CCleaner-Malware: Avast veröffentlicht weitere Analyse-Ergebnisse ∗∗∗ --------------------------------------------- In einem neuen Blogeintrag nennt Avast weitere Details zum Schadcode in CCleaner 5.33.6162. Dazu zählen konkrete Angriffsziele und Infektionszahlen sowie weitere Details zu möglichen Herkunftsländern der Täter. --------------------------------------------- https://heise.de/-3840809 ∗∗∗ Gefälschte Apple-Nachricht: Subscription Confirmation ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Apple-Nachricht. Darin behaupten sie, dass Empfänger/innen eine teure Anwendung gekauft haben. Sollte das nicht der Fall sein, können sie die Bestellung auf einer Website stornieren. Apple-Kund/innen, die den angeblichen Einkauf rückgängig machen wollen, übermitteln ihre Kreditkartendaten an Betrüger/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-apple-nachricht-subs… ∗∗∗ A Historical Perspective on IT & OT Convergence ∗∗∗ --------------------------------------------- Hello IIoT World readers, and thanks for engaging with my column. Over the course of the next few months, I plan to write on a number of topics that are, individually, highly relevant to the IIoT Security realm. Perhaps more importantly, many of these topics can be viewed as being all inter-related in a way that describes some of the things Continue ReadingThe post A Historical Perspective on IT & OT Convergence appeared first on Create a culture of innovation with IIoT World!. --------------------------------------------- http://iiot-world.com/cybersecurity/a-historical-perspective-on-it-ot-conve… ∗∗∗ The Ethics of Running a Data Breach Search Service ∗∗∗ --------------------------------------------- No matter how much anyone tries to sugar coat it, a service like Have I been pwned (HIBP) which deals with billions of records hacked out of other peoples systems is always going to sit in a grey area. There are degrees, of course; at one end of the spectrum [...] --------------------------------------------- https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/ ===================== = Advisories = ===================== ∗∗∗ Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface ∗∗∗ --------------------------------------------- A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance. --------------------------------------------- https://support.citrix.com/article/CTX227928 ∗∗∗ IBM Security Bulletin: privilege escalation in IBM Business Process Manager (BPM) – CVE-2017-1539 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007451 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Center Console (CVE-2017-1531) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007354 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Admin Console (CVE-2017-1530) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007351 ∗∗∗ IBM Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Process Manager (CVE-2017-1527) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007346 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) – CVE-2017-1425 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006265 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21996096 ∗∗∗ Alert for CVE-2017-9805 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-388… ∗∗∗ Apache ActiveMQ vulnerability CVE-2016-6810 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55444705 ∗∗∗ HPESBNS03775 rev.1 - HPE NonStop Samba, Remote Disclosure of Information, Authentication Bypass, Unauthorized Elevation of Privilege ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2017
by Daily end-of-shift report 22 Sep '17

22 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-09-2017 18:00 − Freitag 22-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CLKSCREW Attack Can Hack Modern Chipsets via Their Power Management Features ∗∗∗ --------------------------------------------- A team of three scientists from Columbia University has discovered that by attacking the combo of hardware and software management utilities embedded with modern chipsets, threat actors can take over systems via an attack surface found in almost all modern electronic devices. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/clkscrew-attack-can-hack-mod… ∗∗∗ Ecommerce Security: Fake Jquery Used as CC Scraper ∗∗∗ --------------------------------------------- In the last few months, we noticed an increase in attacks targeting ecommerce platforms aiming to steal credit card information. We saw a similar rise last year after the summer ended, and believe that trend will continue now that the holiday season is quickly approaching. Most of these attacks are based on intercepting the communication between the online store and the payment gateway (the checkout process) in order to send valuable information to the attacker. --------------------------------------------- https://blog.sucuri.net/2017/09/fake-jquery-used-cc-scraper-ecommerce.html ∗∗∗ How I hacked hundreds of companies through their helpdesk ∗∗∗ --------------------------------------------- Months ago I discovered a flaw hackers can use to access a companys internal communications. The flaw only takes a couple of clicks to potentially access intranets, social media accounts such as Twitter, and most commonly Yammer and Slack teams. --------------------------------------------- https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-… ∗∗∗ Passwords to Over a Half Million Car Tracking Devices Leaked Online ∗∗∗ --------------------------------------------- We’ve seen a lot of data breaches this year: some big, some small, some that are dangerous, and some that are just embarrassing. But if we were to name one as the creepiest data breach of 2017, this leak of logins for car tracking devices might take the cake. --------------------------------------------- https://gizmodo.com/passwords-to-access-over-a-half-million-car-tracking-de… ∗∗∗ Tips for Reverse-Engineering Malicious Code ∗∗∗ --------------------------------------------- This cheat sheet outlines tips for reversing malicious Windows executables via static and dynamic code analysis with the help of a debugger and a disassembler. --------------------------------------------- https://zeltser.com/reverse-engineering-malicious-code-tips/ ∗∗∗ Hack the Hacker – Fuzzing Mimikatz On Windows With WinAFL & Heatmaps (0day) ∗∗∗ --------------------------------------------- In this blogpost, I want to explain two topics from a theoretical and practical point of view: How to fuzz windows binaries with source code available (this part is for developers) and How to deal with big input files (aka heatmap fuzzing) and crash analysis (for security consultants; more technical) --------------------------------------------- https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikat… ===================== = Advisories = ===================== ∗∗∗ Schneider Electric InduSoft Web Studio, InTouch Machine Edition ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a missing authentication for critical function vulnerability in Schneider Electrics InduSoft Web Studio and InTouch Machine Edition. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-01 ∗∗∗ Ctek, Inc. SkyRouter ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper authentication vulnerability in the Ctek, Inc. SkyRouter. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-02 ∗∗∗ Digium Asterisk GUI ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an OS command injection vulnerability in Digiums Asterisk GUI. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-03 ∗∗∗ iniNet Solutions GmbH SCADA Webserver ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an improper authentication vulnerability in iniNet Solutions GmbH’s SCADA Webserver. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-264-04 ∗∗∗ Saia Burgess Controls PCD Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an information exposure vulnerability in Saia Burgess Controls PCD Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-05 ∗∗∗ DFN-CERT-2017-1682: Perl: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe und das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1682/ ∗∗∗ Security Advisory - Information Leakage Vulnerability on OceanStor ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Notice - Statement on App Lock Bypass Vulnerability in Huawei EMUI ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170922-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099638 ∗∗∗ IBM Security Bulletin: API Connect is affected by a vulnerability by which an authenticated user could generate an API token ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008588 ∗∗∗ IBM Security Bulletin: API Connect is affected by a Cross Frame Scripting vulnerability CVE-2017-1551 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008372 ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007168 ∗∗∗ IBM Security Bulletin: HTML injection vulnerability in IBM Business Process Manager (BPM) – CVE-2017-1424 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005112 ∗∗∗ IBM Security Bulletin: Security Identity Adapter data traffic to/from server is not encrypted by default ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007381 ∗∗∗ IBM Security Bulletin: Potential information leakage during process app export in IBM Business Process Manager (CVE-2017-1346) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004654 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting vulnerability in Business Space Help affects IBM Business Process Manager (BPM) and WebSphere Process Server (WPS) – CVE-2013-0464 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005596 ∗∗∗ EMC M&R Watch4net for SAS Solution Packs WebService Gateway Directory Traversal Flaw Lets Remote Authenticated Users Access and Modify Data and JMX Protocol Flaw Lets Remote Users Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039418 ∗∗∗ EMC ViPR SRM WebService Gateway Directory Traversal Flaw Lets Remote Authenticated Users Access and Modify Data and JMX Protocol Flaw Lets Remote Users Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039417 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2017
by Daily end-of-shift report 21 Sep '17

21 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-09-2017 18:00 − Donnerstag 21-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transportverschlüsselung zwischen Mailservern ∗∗∗ --------------------------------------------- Empfehlungen zur Konfiguration mit Beispielen für Postfix und exim --------------------------------------------- https://www.dfn-cert.de/aktuell/smtp-transportverschluesselung.html ∗∗∗ Optimierungsprogramm: Ccleaner-Malware sollte wohl Techkonzerne ausspionieren ∗∗∗ --------------------------------------------- Cisco widerspricht Avast: Die zweite Stufe der mit Ccleaner verteilten Malware sei sehr wohl aktiviert worden. Angeblich sollen die Macher der Kampagne es auf Betriebsgeheimnisse großer Techfirmen abgesehen haben. --------------------------------------------- https://www.golem.de/news/optimierungsprogramm-ccleaner-malware-sollte-wohl… ∗∗∗ FedEX: TNT verliert durch NotPetya 300 Millionen US-Dollar ∗∗∗ --------------------------------------------- Angriffe auf die IT-Infrastruktur sind teuer: Nach Maersk hat auch das Logistikunternehmen TNT einen erheblichen Verlust durch NotPetya bekannt gegeben. Die Reparatur aller Systeme soll bis Ende September abgeschlossen werden. --------------------------------------------- https://www.golem.de/news/fedex-tnt-verliert-durch-notpetya-300-millionen-u… ∗∗∗ Deep-Learning PassGAN Tool Improve Password Guessing ∗∗∗ --------------------------------------------- A deep-learning network known as a GAN has been applied to passwords, and a tool called PassGAN significantly improves the ability to guess user passwords over tools such as Hashcat or John the Ripper. --------------------------------------------- http://threatpost.com/deep-learning-passgan-tool-improve-password-guessing/… ∗∗∗ Introducing Burplay, A Burp Extension for Detecting Privilege Escalations ∗∗∗ --------------------------------------------- The seventh entry on the most recent OWASP Top 10 release (from 2013, due to the 2017 release candidate being rejected!) is "Missing Function Level Access Control", which is essentially what leads to Privilege Escalation issues. This common vulnerability related... --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Introducing-Burplay,-A-… ∗∗∗ New FinFisher surveillance campaigns: Are internet providers involved? ∗∗∗ --------------------------------------------- New surveillance campaigns utilizing FinFisher, infamous spyware known also as FinSpy and sold to governments and their agencies worldwide, are in the wild. Besides featuring technical improvements, some of these variants have been using a cunning, previously-unseen infection vector with strong indicators of major internet service provider (ISP) involvement. --------------------------------------------- https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campai… ∗∗∗ Intel Management Engine gehackt ∗∗∗ --------------------------------------------- Sicherheitsexperten zeigten, wie sie eine Sicherheitslücke in Intels ME-Firmware nutzen, um unsignierten Code auszuführen. Die ME hat im Prinzip unbeschränkten Zugriff auf die Hardware des Systems, kann aber von Virenscannern nicht überwacht werden. --------------------------------------------- https://heise.de/-3837239 ∗∗∗ Verschlüsselung: Gpg4win 3.0 hält sich dezent im Hintergrund ∗∗∗ --------------------------------------------- Die Windows-Softwaresammlung Gpg4win verwendet Version 2.2 der freien Krypto-Engine GnuPG und sorgt dafür, dass Outlook mit dem OpenPGP/MIME-Standard umgehen kann. --------------------------------------------- https://heise.de/-3837176 ===================== = Advisories = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 20, 2017 The Samba Team has released security updates to address several vulnerabilities in Samba. An attacker could exploit any of these vulnerabilities to obtain access to potentially sensitive information.US-CERT encourages users and administrators to review the Samba Security Announcements for CVE-2017-12150, CVE-2017-12151, and CVE-2017-12163 and apply the necessary updates, or refer to their Linux or Unix-based OS vendors for appropriate patches. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/09/20/Samba-Releases-Sec… ∗∗∗ Page Access - Unsupported - SA-CONTRIB-2017-75 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2910306 ∗∗∗ Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2910308 ∗∗∗ Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2907118 ∗∗∗ Security Update for tvOS 11 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208113 ∗∗∗ Security Update for watchOS 4 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208115 ∗∗∗ Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wide Area Application Services HTTP Application Optimization Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco UCS Central Software Command Line Interface Restricted Shell Break Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business SPA300, SPA500, and SPA51x Series IP Phones Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Managed Switches Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FindIT DLL Preloading Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Customer Voice Portal Operations Console Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Intelligence Center Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Intelligence Center User Interface Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Vulnerability in the Linux Kernel affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems (CVE-2017-6214) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099637 ∗∗∗ IBM Security Bulletin: IBM MQ termination of a client application causes denial of service (CVE-2017-1235) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005415 ∗∗∗ IBM Security Bulletin: Open Source OpenSSL, GNUTls, RHEL CVE-2016-8610 'SSL-Death-Alert' affects IBM Cisco switches and directors. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010572 ∗∗∗ IBM Security Bulletin: Multiple Java Vulnerabilities affect DB2 Text Search Stand Alone Accessories Suite ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007190 ∗∗∗ OpenJDK vulnerabilities CVE-2015-2601, CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84947349 ∗∗∗ HPESBHF03705 rev.2 - HPE Integrated Lights-Out 4 and Moonshot Remote Console Administrator (iLO 4 and MRCA) Remote Disclosure of Information ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2017
by Daily end-of-shift report 20 Sep '17

20 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-09-2017 18:00 − Mittwoch 20-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iTerm2 Leaks Everything You Hover in Your Terminal via DNS Requests ∗∗∗ --------------------------------------------- iTerm2, a popular Mac application that comes as a replacement for Apples official Terminal app, just received a security fix minutes ago for a severe security issue that leaked terminal content via DNS requests. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-… ∗∗∗ New tool: mac-robber.py, (Tue, Sep 19th) ∗∗∗ --------------------------------------------- On a recent forensic investigation where we couldn't take the Linux system down to image the disks, I was forced to do live response. Fortunately, I was able to get a memory image, but I also wanted a filesystem timeline. I first went to my old friend fls from The SleuthKit (TSK), but for some reason, it failed. So, I tried mac-robber (also from TSK) and it, too, failed. Not one to give up easily, I decided to write my own version of mac-robber in Python. Like the TSK mac-robber, [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22844 ===================== = Advisories = ===================== ∗∗∗ PHOENIX CONTACT mGuard Device Manager ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper access control vulnerabilities within PHOENIX CONTACTs mGuard Device Manager associated with Oracle Java SE. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-262-01 ∗∗∗ WordPress 4.8.2 Security and Maintenance Release ∗∗∗ --------------------------------------------- WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. --------------------------------------------- https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance… ∗∗∗ Apple Security Updates ∗∗∗ --------------------------------------------- iOS 11: https://support.apple.com/en-us/HT208112 Safari 11: https://support.apple.com/en-us/HT208116 Xcode 9: https://support.apple.com/en-us/HT208103 --------------------------------------------- ∗∗∗ DFN-CERT-2017-1665: Apache Foundation Tomcat: Zwei Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1665/ ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei CPE Devices ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - Information Exposure Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170920-… ∗∗∗ F5 TMM vulnerability CVE-2017-6147 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43945001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2017
by Daily end-of-shift report 19 Sep '17

19 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 18-09-2017 18:00 − Dienstag 19-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Avast Clarifies Details Surrounding CCleaner Malware Incident ∗∗∗ --------------------------------------------- Avast published earlier today a post-mortem of the CCleaner malware incident, in the hopes to clarify some of the details surrounding the event that many of its users found troubling. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-clarifies-details-surr… ∗∗∗ Apples FaceID ∗∗∗ --------------------------------------------- This is a good interview with Apples SVP of Software Engineering about FaceID. Honestly, I dont know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it cant be hacked with fake faces. I dislike the fact that the police can point the phone at someone and have it automatically unlock. So this is important: I also quizzed Federighi about the exact way you "quick disabled" Face ID in tricky scenarios -- like being stopped by police, or [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/09/apples_faceid.html ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this: [...] --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Someone checked and, yup, you can still hijack Gmail, Bitcoin wallets etc via dirty SS7 tricks ∗∗∗ --------------------------------------------- Two-factor authentication by SMS? More like SOS Once again, its been demonstrated that vulnerabilities in cellphone networks can be exploited to intercept one-time two-factor authentication tokens in text messages. --------------------------------------------- https://www.theregister.co.uk/2017/09/18/ss7_vuln_bitcoin_wallet_hack_risk/ ∗∗∗ Open Hadoop Service Scanning Project ∗∗∗ --------------------------------------------- If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at the Hadoop Namenode or Datanode web service. The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have one or both of these hadoop services service running. The goal of this project is to identify openly accessible systems that have these services running and report them back to the network owners for [...] --------------------------------------------- https://hadoopscan.shadowserver.org/ ∗∗∗ Call for Papers IT-SECX 2017 - "Future incident response" ∗∗∗ --------------------------------------------- Die IT-SECX ist eine Security-Konferenz mit Vorträgen und Workshops. [...] Das Motto der heurigen IT-SECX ist "Future incident response" mit dem Ziel aktuelle gezielte Angriffe, Malwarekampagnen und Gegenmaßnahmen zu diskutieren. Mit diesem Fokus sind Einreichungen für Vorträge zu folgenden Themen erwünscht: [...] --------------------------------------------- https://itsecx.fhstp.ac.at/call-for-papers/ ∗∗∗ Gefährdeter Datenschutz: Firefox löscht lokale Datenbanken nicht ∗∗∗ --------------------------------------------- Der Firefox-Browser bringt ein großes Datenschutzproblem mit sich. Nur umständlich lässt sich die Firefox-Chronik von Nutzern löschen. Webseiten können mühelos auf zuvor im Browser gespeicherte Daten zugreifen. --------------------------------------------- https://heise.de/-3835084 ∗∗∗ PC-Wahl: CCC demonstriert erneut einen Angriff und bietet Open-Source-Hilfe ∗∗∗ --------------------------------------------- Mit einem demonstrativen Hack macht der CCC auf ein erneutes Sicherheitsproblem der bereits mehrfach nachgebesserten Wahl-Software aufmerksam. Eine Open-Source-Spende soll PC-Wahl jetzt zu einer sicheren Update-Funktion verhelfen. --------------------------------------------- https://heise.de/-3835282 ∗∗∗ Unternehmen im Visier von Cyber-Kriminellen ∗∗∗ --------------------------------------------- Mit gefälschten Zahlungsanweisungen versuchen Kriminelle, von Unternehmen hohe Geldsummen zu stehlen. Ihre Nachrichten richten sich direkt an die Buchhaltung und geben vor, dass sie von der Geschäftsführung stammen. Mitarbeiter/innen, die auf den sogenannten CEO-Betrug hereinfallen, verursachen hohe Verluste. Wir zeigen Ihnen, wie Sie Ihr Unternehmen vor diesem Betrug schützen. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/unternehmen-im-visier-von-cyber… ===================== = Advisories = ===================== ∗∗∗ [20170901] - Core - Information Disclosure ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Low Versions: 3.7.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-August-4 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14595 Description A logic bug in a SQL query could lead to the disclosure of article intro texts when these articles are in the archived state. Affected Installs Joomla! CMS versions 3.7.0 through 3.7.5 Solution Upgrade to version 3.8.0 --------------------------------------------- https://developer.joomla.org/security-centre/710-20170901-core-information-… ∗∗∗ [20170902] - Core - LDAP Information Disclosure ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Medium Versions: 1.5.0 through 3.7.5 Exploit type: Information Disclosure Reported Date: 2017-July-27 Fixed Date: 2017-September-19 CVE Number: CVE-2017-14596 Description Inadequate escaping in the LDAP authentication plugin can result into a disclosure of username and password. Affected Installs Joomla! CMS versions 1.5.0 through 3.7.5 Solution Upgrade to version 3.8.0 --------------------------------------------- https://developer.joomla.org/security-centre/711-20170902-core-ldap-informa… ∗∗∗ Security Advisory 2017-04: Security Update for all OTRS Versions ∗∗∗ --------------------------------------------- September 18, 2017 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities in OTRS to: security(a)otrs.org --------------------------------------------- https://www.otrs.com/security-advisory-2017-04-security-update-otrs-version… ∗∗∗ DSA-3978 gdk-pixbuf - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3978 ∗∗∗ DSA-3977 newsbeuter - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3977 ∗∗∗ DFN-CERT-2017-1643: Moodle: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1643/ ∗∗∗ Security Advisory - Multiple Vulnerabilities in MTK Platform ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170919-… ∗∗∗ IBM Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008323 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect API Connect ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008382 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational Synergy ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22008122 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1382) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007663 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1380) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007665 ∗∗∗ Expat vulnerability CVE-2016-0718 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52320548 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2017
by Daily end-of-shift report 18 Sep '17

18 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-09-2017 18:00 − Montag 18-09-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Machine Learning Myths ∗∗∗ --------------------------------------------- “Machine learning” is the new “it” buzzword in security. As a result, it’s being thrown around fairly loosely on vendor websites and in marketing materials. Not only is that unfortunate for anyone looking to get a straight answer on how machine learning can help their company stay more secure, it is also fostering a general sense of confusion around what the term actually means. To help clear things up, let’s take a closer look at six of the most common [...] --------------------------------------------- https://feeds.feedblitz.com/~/459728214/0/alienvault-blogs~Machine-Learning… ∗∗∗ Optionsbleed: Apache-Webserver blutet ∗∗∗ --------------------------------------------- Beim Apache-Webserver lassen sich in bestimmten Konfigurationen Speicherfragmente durch einen Angreifer auslesen. Besonders kritisch ist diese Lücke in Shared-Hosting-Umgebungen. --------------------------------------------- https://www.golem.de/news/optionsbleed-apache-webserver-blutet-1709-130105-… ∗∗∗ CCleaner: Avast verteilt Malware mit Optimierungsprogramm ∗∗∗ --------------------------------------------- So hatten sich Nutzer die Optimierung des PCs sicher nicht vorgestellt: Eine Version von CCleaner wurde für rund einen Monat mit Malware ausgeliefert. --------------------------------------------- https://www.golem.de/news/ccleaner-avast-verteilt-malware-mit-optimierungsp… ∗∗∗ An (un)documented Word feature abused by attackers ∗∗∗ --------------------------------------------- A little while back we were investigating the malicious activities of the Freakyshelly targeted attack and came across spear phishing emails that had some interesting documents attached to them. They were in OLE2 format and contained no macros, exploits or any other active content. --------------------------------------------- http://securelist.com/an-undocumented-word-feature-abused-by-attackers/8189… ∗∗∗ Malicious Backdoors: Fake Images and Strrev Functions ∗∗∗ --------------------------------------------- When a website is compromised, attackers frequently leave behind a backdoor – according to our research around 70% of all website hacks include a backdoor. These backdoors are not designed to attack a website or destroy data, instead they allow an attacker to re-enter a targeted website with little to no authentication, providing them with unauthorized access to the system. Backdoors can be planted anywhere within a site, file system, or database. --------------------------------------------- https://blog.sucuri.net/2017/09/malicious-backdoors-fake-images-strrev-func… ∗∗∗ Achtung: Aktuelle Spam-Mails fälschen Absender von Mitarbeitern ∗∗∗ --------------------------------------------- Akute Gefahr geht von einer Schädlingswelle aus, die per E-Mail anrollt. Durch eine clevere Wahl der Absender könnten auch versierte Anwender verleitet werden, dem darin enthaltenen Link zu folgen. Er führt zu bislang weitgehend unerkannter Malware. --------------------------------------------- https://heise.de/-3834782 ∗∗∗ Keine Sicherheits-App der Erste Bank installieren ∗∗∗ --------------------------------------------- In einer gefälschten Erste Bank-Nachricht fordern Kriminelle Kund/innen dazu auf, dass sie eine Sicherheits-App für ihr mobiles Endgerät installieren. Das sei angeblich notwendig, damit diese weiterhin ihren OnlineBanking-Zugang nützen können. In Wahrheit ist die Sicherheits-App Schadsoftware. Sie ermöglicht es Unbekannten, auf die Konten ihrer Opfer zuzugreifen. --------------------------------------------- https://www.watchlist-internet.at/schadsoftware/keine-sicherheits-app-der-e… ∗∗∗ People cant read (Equifax edition) ∗∗∗ --------------------------------------------- One of these days Im going to write a guide for journalists reporting on the cyber. One of the items Id stress is that they often fail to read the text of what is being said, but instead read some sort of subtext that wasnt explicitly said. This is valid sometimes -- as the subtext is what the writer intended all along, even if they didnt explicitly write it. Other times, though the imagined subtext is not what the writer intended at all. A good example is the recent Equifax breach. --------------------------------------------- http://blog.erratasec.com/2017/09/people-cant-read-equifax-edition.html ===================== = Advisories = ===================== ∗∗∗ DSA-3974 tomcat8 - security update ∗∗∗ --------------------------------------------- Two issues were discovered in the Tomcat servlet and JSP engine. --------------------------------------------- https://www.debian.org/security/2017/dsa-3974 ∗∗∗ DSA-3975 emacs25 - security update ∗∗∗ --------------------------------------------- Charles A. Roelli discovered that Emacs is vulnerable to arbitrary codeexecution when rendering text/enriched MIME data (e.g. when usingEmacs-based mail clients). --------------------------------------------- https://www.debian.org/security/2017/dsa-3975 ∗∗∗ DSA-3976 freexl - security update ∗∗∗ --------------------------------------------- Marcin Icewall Noga of Cisco Talos discovered two vulnerabilities infreexl, a library to read Microsoft Excel spreadsheets, which mightresult in denial of service or the execution of arbitrary code if amalformed Excel file is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3976 ∗∗∗ ZDI-17-811: EMC Data Protection Advisor Application Service Static Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on vulnerable installations of EMC Data Protection Advisor. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-811/ ∗∗∗ Magento 2.0.16 and 2.1.9 Security Update ∗∗∗ --------------------------------------------- Magento Commerce and Open Source 2.1.9 and 2.0.16 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. --------------------------------------------- https://magento.com/security/patches/magento-2016-and-219-security-update ∗∗∗ SUPEE-10266 ∗∗∗ --------------------------------------------- SUPEE-10266, Magento Commerce 1.14.3.6 and Open Source 1.9.3.6 contain multiple security enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. --------------------------------------------- https://magento.com/security/patches/supee-10266 ∗∗∗ BlackBerry response to impact of the vulnerabilities known as BlueBorne on BlackBerry products ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Vuln: Moodle CVE-2017-12157 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/100848 ∗∗∗ Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Meeting Server TURN Server Unauthorized Access and Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1634: ChakraCore: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1634/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008401 ∗∗∗ IBM Security Bulletin: A vulnerability in XStream affects IBM InfoSphere Information Governance components ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004784 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-3511, CVE-2017-10115, CVE-2017-10116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006034 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006028 ∗∗∗ IBM Security Bulletin: Sweet32 vulnerability affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-2183) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006040 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Storage Productivity Center (CVE-2017-1137) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006029 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1121) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006027 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008182 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® WebSphere Real Time ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006696 ∗∗∗ IBM Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008410 ∗∗∗ OpenJDK vulnerabilities CVE-2015-2621, CVE-2015-2632, CVE-2015-4748, and CVE-2015-4749 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K84947349 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2017
by Daily end-of-shift report 15 Sep '17

15 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-09-2017 18:00 − Freitag 15-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ten Malicious Libraries Found on PyPI - Python Package Index ∗∗∗ --------------------------------------------- The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-foun… ∗∗∗ Equifax Confirms March Struts Vulnerability Behind Breach ∗∗∗ --------------------------------------------- Equifax divulged on Wednesday that the culprit behind this summers breach of 143 million Americans was an Apache Struts vulnerability, CVE-2017-5638, patched back in March. --------------------------------------------- http://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-br… ∗∗∗ VMware Patches Bug That Allows Guest to Execute Code on Host ∗∗∗ --------------------------------------------- Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical. --------------------------------------------- http://threatpost.com/vmware-patches-bug-that-allows-guest-to-execute-code-… ∗∗∗ Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users ∗∗∗ --------------------------------------------- Even after so many efforts by Google, malicious apps somehow managed to fool its Play Stores anti-malware protections and infect people with malicious software. The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks. Security firm Check Point on --------------------------------------------- https://thehackernews.com/2017/09/play-store-malware.html ∗∗∗ Google veröffentlicht API zum Malware-Schutz für Android ∗∗∗ --------------------------------------------- Mit der SafetyNet Verify Apps API können Apps überprüfen, ob Android-Endgeräte Google Play Protect verwenden. Auch der Zugriff auf die Scan-Funktion ist über die Schnittstelle möglich. --------------------------------------------- https://heise.de/-3832697 ∗∗∗ Bashware: Windows 10 über Linux-Komponente angreifbar ∗∗∗ --------------------------------------------- Die Sicherheitsfirma Checkpoint hat eine Möglichkeit gefunden, wie man Windows-10-Rechner über die optionalen Linux-Komponenten des Betriebssystems angreifen kann. Allerdings übertreiben die Forscher den Ernst der Lage gehörig. --------------------------------------------- https://heise.de/-3833695 ∗∗∗ Malvertising-Kampagne setzt auf Krypto-Mining in fremden Browsern ∗∗∗ --------------------------------------------- Fremde CPU-Leistung mittels Malware zum Mining von Bitcoins und Co. zu missbrauchen, ist eine altbewährte Strategie. Eine aktuelle Malvertising-Kampagne im osteuropäischen Raum verlegt das Mining per JavaScript direkt in den Webbrowser. --------------------------------------------- https://heise.de/-3833536 ===================== = Advisories = ===================== ∗∗∗ LOYTEC LVIS-3ME ∗∗∗ --------------------------------------------- This advisory contains mitigation details for relative path traversal, insufficient entropy, cross-site scripting and insufficiently protected credentials vulnerabilities within LOYTECs LVIS-3ME HMI touch panel. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-257-01 ∗∗∗ VMSA-2017-0015 ∗∗∗ --------------------------------------------- VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0015.html ∗∗∗ USN-3417-1: Libgcrypt vulnerability ∗∗∗ --------------------------------------------- Ubuntu Security Notice USN-3417-1 14th September, 2017 libgcrypt20 vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Summary Libgcrypt could be made to expose sensitive information. Software description libgcrypt20 - LGPL Crypto library Details Daniel Genkin, Luke Valenta, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover Curve25519 private keys. --------------------------------------------- http://www.ubuntu.com/usn/usn-3417-1/ ∗∗∗ IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by a security vulnerability in Python (CVE-2017-2592) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010471 ∗∗∗ IBM Security Bulletin: Open Source Apache PDFBox Vulnerabilities in IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21991021 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2017
by Daily end-of-shift report 14 Sep '17

14 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-09-2017 18:00 − Donnerstag 14-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Zerodium Offering $1M for Tor Browser Zero Days ∗∗∗ --------------------------------------------- Exploit acquisition vendor Zerodium said Wednesday it will pay up to $1M for an unknown Tor Browser zero day. --------------------------------------------- http://threatpost.com/zerodium-offering-1m-for-tor-browser-zero-days/127959/ ∗∗∗ Another webshell, another backdoor! ∗∗∗ --------------------------------------------- Im still busy to follow how webshells are evolving... I recently found another backdoor in another webshell called "cor0.id". The best place to find webshells remind pastebin.com. When Im testing a webshell, I copy it in a VM located on a "wild Internet" VLAN in my home lab with, amongst other controls, full packet capture enabled. --------------------------------------------- https://isc.sans.edu/diary/rss/22826 ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this ... --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Samsung’s launches bug bounty program and will reward up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software ∗∗∗ --------------------------------------------- Samsung says,”We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports,”. --------------------------------------------- https://www.techposts.net/samsung-launches-bug-bounty-program-offering-boun… ∗∗∗ Enlarge your botnet with: top D-Link routers (DIR8xx D-Link routers cruisin for a bruisin) ∗∗∗ --------------------------------------------- In this article, we are going to discuss vulnerabilities detected in the top D-Link routers. The devices use the same code, thus giving a magnificent and quite tempting opportunity to attackers to add them to a botnet. Moreover, we have managed to make Mirai for the devices by modifying its compilation script a bit. --------------------------------------------- https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-lin… ∗∗∗ "Display Widgets": WordPress-Plugin mit Backdoor aus Repository entfernt ∗∗∗ --------------------------------------------- Ein Plugin zur Verwaltung von WordPress-Widgets enthielt eine Backdoor, die dessen Herausgeber über Monate hinweg den Fernzugriff ermöglichte. Nun wurde es endgültig aus dem WordPress-Repository entfernt. Ein Update säubert bestehende Installationen. --------------------------------------------- https://heise.de/-3831761 ∗∗∗ Schwere Lücke im Router D-Link DIR-850L: Patches kommen am 19. September ∗∗∗ --------------------------------------------- Die Heimrouter können von Angreifern aus der Ferne übernommen werden. Bisher gibt es kein Update, da der Entdecker der Lücken D-Link vor der Veröffentlichung nicht informiert hat. Nun hat die Firma das Datum mitgeteilt, ab dem es Patches geben soll. --------------------------------------------- https://heise.de/-3832456 ∗∗∗ End of extended support for Office 2007 ∗∗∗ --------------------------------------------- The end of extended support for the Office 2007 family of desktop and server products is coming up next month. See Office 2007 approaching end of extended support for more details and the list of affected products. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2017/09/13… ===================== = Advisories = ===================== ∗∗∗ DSA-3972 bluez - security update ∗∗∗ --------------------------------------------- An information disclosure vulnerability was discovered in the ServiceDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker toobtain sensitive information from bluetoothd process memory, includingBluetooth encryption keys. --------------------------------------------- https://www.debian.org/security/2017/dsa-3972 ∗∗∗ Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074 ∗∗∗ --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-074 Vulnerability: Cross Site Request Forgery Description: The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. --------------------------------------------- https://www.drupal.org/node/2908592 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest (CVE-2017-1289) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007617 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002883 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002863 ∗∗∗ Persistent Cross-Site Scripting in SilverStripe CMS ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/persistent-cross-site-script… ∗∗∗ Authenticated Command Injection in Ubiquiti Networks UniFi Cloud Key ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authenticated-command-inject… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2017
by Daily end-of-shift report 13 Sep '17

13 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-09-2017 18:00 − Mittwoch 13-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 4,000 ElasticSearch Servers Found Hosting PoS Malware Files ∗∗∗ --------------------------------------------- The Kromtech Security Center has identified over 4,000 instances of ElasticSearch servers that are hosting files specific to two strains of POS (Point of Sale) malware — AlinaPOS and JackPOS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-elasticsearch-ser… ∗∗∗ Blueborne: Sicherheitslücken gefährden fünf Milliarden Bluetooth-Geräte ∗∗∗ --------------------------------------------- Etwa fünf Milliarden Geräte weltweit sollen von kritischen Bluetooth-Sicherheitslücken betroffen sein. Die Fehler liegen jedoch nicht im Protokoll, sondern in den entsprechenden Stacks von Windows, Linux und Android. Bei Apple sind nur ältere Geräte von Blueborne betroffen. --------------------------------------------- https://www.golem.de/news/bluetooth-kritische-sicherheitsluecken-ermoeglich… ∗∗∗ Exploit for CVE-2017-8759 detected and neutralized ∗∗∗ --------------------------------------------- The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat. The .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-87… ∗∗∗ Hackers Got Into America’s Power Grid. But Don’t Freak Out. ∗∗∗ --------------------------------------------- Last week cybersecurity firm Symantec released a report on what it calls Dragonfly 2.0—a collection of intrusions into industrial and energy-related organizations worldwide. For the last six years, the Dragonfly intrusions and others have regularly gone deeper into the operational networks that control elements of America’s power grid. --------------------------------------------- http://fortune.com/2017/09/11/dragonfly-2-0-symantec-hackers-power-grid/ ∗∗∗ WordPress’ Poor Handling of Plugin Security Exacerbates Malicious Takeover of Display Widgets ∗∗∗ --------------------------------------------- Recently there has been a fair amount of coverage of popular Chrome extensions being modified to include malicious code after the login credentials used to control them in the Chrome Web Store had been compromised .. --------------------------------------------- https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of… ∗∗∗ Adobe stopft Sicherheitslücken in Flash, ColdFusion und RoboHelp ∗∗∗ --------------------------------------------- Auch bei Adobe ist wieder Patchday und der Tradition entsprechend patcht die Firma zu dieser Gelegenheit wieder einmal kritische Lücken im Flash Player. Auch ColdFusion und RoboHelp erhalten Updates. --------------------------------------------- https://heise.de/-3830067 ∗∗∗ Compromised LinkedIn accounts used to send phishing links via private message and InMail ∗∗∗ --------------------------------------------- A recent attack uses existing LinkedIn user accounts to send phishing links to their contacts via private message .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/compromised-linkedin-… ∗∗∗ Patchday: Microsoft stopft Staatstrojaner-Schlupfloch ∗∗∗ --------------------------------------------- Lücke in Word und .NET-Framework wurde von FinFisher-Malware ausgenutzt --------------------------------------------- http://derstandard.at/2000064009454 ===================== = Advisories = ===================== ∗∗∗ DSA-3971 tcpdump - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3971 ∗∗∗ DSA-3970 emacs24 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3970 ∗∗∗ DSA-3969 xen - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3969 ∗∗∗ Local File Disclosure in VLC media player iOS app ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc… ∗∗∗ Multiple Vulnerabilities in IBM Infosphere Information Server / Datastage ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2017
by Daily end-of-shift report 12 Sep '17

12 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 11-09-2017 18:00 − Dienstag 12-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Miners on the Rise ∗∗∗ --------------------------------------------- Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the companies’ business processes suffer because data processing speeds fall substantially. --------------------------------------------- http://securelist.com/miners-on-the-rise/81706/ ∗∗∗ Google to kill Symantec certs in Chrome 66, due in early 2018 ∗∗∗ --------------------------------------------- This is how trust ends, not with a bang but with a whimper Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.… --------------------------------------------- www.theregister.co.uk/2017/09/12/chrome_66_to_reject_symantec_certs/ ∗∗∗ D-Link DIR-850L: Router können gekapert werden, Patches nicht verfügbar ∗∗∗ --------------------------------------------- In D-Links Heimrouter 850L klaffen schwerwiegende Sicherheitslücken, über die Angreifer die Geräte in ihre Kontrolle bringen können. Updates, welche die Lücken schließen, sind vorerst nicht zu erwarten. --------------------------------------------- https://heise.de/-3828382 ∗∗∗ SAP Security Patch Day – September 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly .. --------------------------------------------- https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/ ===================== = Advisories = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe RoboHelp (APSB17-25), Adobe Flash Player (APSB17-28) and ColdFusion (APSB17-30). Adobe recommends users update their product .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1491 ∗∗∗ DSA-3968 icedove - security update ∗∗∗ --------------------------------------------- Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2017/dsa-3968 ∗∗∗ Email verification bypass in SAP E-Recruiting ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/email-verification-bypass-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2017
by Daily end-of-shift report 11 Sep '17

11 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-09-2017 18:00 − Montag 11-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Energieversorgung: E-Mail-Konten sind besser gesichert als Windparks ∗∗∗ --------------------------------------------- Windparks machen einen professionellen Eindruck, doch bei der IT-Sicherheit hapert es leider. Recherchen von Internetwache.org und Golem.de zeigen eine Menge Schwachstellen und ein Chaos bei der Zuständigkeit. --------------------------------------------- https://www.golem.de/news/energieversorgung-e-mail-konten-sind-besser-gesic… ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Australian researchers show how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch.… --------------------------------------------- www.theregister.co.uk/2017/09/07/cross_domain_desktop_compositor_vdi_for_th… ∗∗∗ Apache Foundation rebuffs allegation it allowed Equifax attack ∗∗∗ --------------------------------------------- Timeline explains that either Equifax didnt patch old bugs, or was zero-dayed The Apache Software Foundation has defended its development practices in the face of a report alleging its code was responsible for the Equifax data leak.… --------------------------------------------- www.theregister.co.uk/2017/09/11/apache_rebuts_equifax_allegation/ ∗∗∗ Bug im Windows-Kernel könnte durch Schadcode missbraucht werden ∗∗∗ --------------------------------------------- Im Windows-Kernel schlummert seit Jahren eine Lücke, die in einigen Fällen dafür sorgen könnte, dass Malware vom Radar von Sicherheitssoftware verschwindet. Laut ihrem Entdecker zeigt sich Microsoft bislang aber eher desinteressiert. --------------------------------------------- https://heise.de/-3825130 ∗∗∗ Equifax Breach Response Turns Dumpster Fire ∗∗∗ --------------------------------------------- I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans. --------------------------------------------- https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-… ∗∗∗ Hack: 143 Millionen US-Amerikanern droht Identitätsdiebstahl ∗∗∗ --------------------------------------------- Datendiebstahl bei US-Finanzinstitut Equifax gilt als einer der schlimmsten Einbrüche in der IT-Geschichte --------------------------------------------- http://derstandard.at/2000063850369 ∗∗∗ Another Apache Struts Vulnerability Under Active Exploitation ∗∗∗ --------------------------------------------- This post authored by Nick Biasini with contributions from Alex Chiu.Earlier this week, a critical vulnerability in Apache Struts was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache --------------------------------------------- http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ HPESBNS03755 rev.2 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2017
by Daily end-of-shift report 08 Sep '17

08 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-09-2017 18:00 − Freitag 08-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Daten von 143 Millionen US-Amerikanern entwendet ∗∗∗ --------------------------------------------- Bei einem Cyberangriff auf den US-Finanzdienstleister Equifax wurden äußerst sensible Daten von Millionen Amerikanern erbeutet, die nun Betrug im großen Stil ermöglichen. --------------------------------------------- https://futurezone.at/digital-life/daten-von-143-millionen-us-amerikanern-e… ∗∗∗ Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions ∗∗∗ --------------------------------------------- Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay.The post Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions appeared first on Palo Alto Networks Blog. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/09/unit42-android-toast-ov… ∗∗∗ YASRV (Yet Another Struts RCE Vulnerability) yes a different one from yesterday ∗∗∗ --------------------------------------------- Yesterday saw CVE-2017-9805, today we have a new remote code execution vulnerability in Apache Struts 2 which is CVE-2017-12611. Yesterdays was in the REST API and related to Java XML unsafe deserializarion. Todays relates to using Freemarker in your application. Both should encourage you to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/22796 ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Heres how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/cross_domai… ∗∗∗ TLS-Zertifikate: CAAs sollen Zertifizierungsstellen an die Leine legen ∗∗∗ --------------------------------------------- Admins können mit einer Certification Authority Authorization im DNS festlegen, wer Zertifikate für ihre Domain unterschreiben darf. Ab dem 8. September sind diese Vorgaben für Zertifizierungsstellen verbindlich. --------------------------------------------- https://heise.de/-3822010 ∗∗∗ Sechs Lücken in Android-Bootloadern bekannter Hersteller entdeckt ∗∗∗ --------------------------------------------- Die automatisierte Analyse des Codes zweier Android-Bootloader förderte insgesamt sechs Schwachstellen zutage. Denial-of-Service und Zugriff auf sensible Daten sind mögliche Folgen – allerdings nur dann, wenn der Angreifer bereits Root-Rechte hat. --------------------------------------------- https://heise.de/-3824289 ∗∗∗ Schwachstelle in Typo3-Repository als mögliches Schlupfloch für trojanisierte Erweiterungen ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers hätten Dritte unter Umständen mit beliebigem Passwort auf das Typo3 Extension Repository zugreifen können. Nun warnen die Entwickler vor möglichen Erweiterungen mit Schadcode. --------------------------------------------- https://heise.de/-3825378 ∗∗∗ Keine Kartenaktivierung bei card complete erforderlich ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte card complete-Nachricht. Darin heißt es, dass die Kreditkarte von Kund/innen gesperrt worden sei. Für eine Reaktivierung sollen diese persönliche Daten bekannt geben. Wer der Aufforderung nachkommt, sendet Betrüger/innen seine Kreditkarteninformationen. --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-kartenaktivierung-bei-card… ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclose three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section of this advisory.Multiple Cisco products incorporate a version of the Apache Struts 2 package that is affected ... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02 ∗∗∗ SpiderControl SCADA Web Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01 ∗∗∗ PHOENIX CONTACT, Innominate Security Technologies mGuard Firmware ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-02 ∗∗∗ i-SENS Inc. SmartLog Diabetes Management Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01 ∗∗∗ DFN-CERT-2017-1587/">GDK-PixBuf: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1587/ ∗∗∗ Security Advisory - MITM Vulnerability in Huawei Themes App in Some Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170908-… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM® Java SDK affects multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007909 ∗∗∗ IBM Security Bulletin: Open Source XStream as used in IBM QRadar SIEM is vulnerable to Denial of Service. (CVE-2017-7957) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008217 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005380 ∗∗∗ IBM Security Bulletin: IBM Java SDK as used in IBM QRadar SIEM is vulnerable to multiple CVE’s. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008210 ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure. (CVE-2017-1162) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008194 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2017
by Daily end-of-shift report 07 Sep '17

07 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-09-2017 18:00 − Donnerstag 07-09-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackBerry powered by Android Security Bulletin – September 2017 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Ransomware: What you need to know now | Salted Hash Ep 1, Pt 4 ∗∗∗ --------------------------------------------- Reporters Fahmida Rashid and Steve Ragan talk about the latest ransomware threats, the holes in IT security and the burdens on enterprises. --------------------------------------------- https://www.csoonline.com/video/81516/ransomware-what-you-need-to-know-now-… ∗∗∗ Microsoft Programming Error is Behind Dangerous Kernel Bug, Researchers Claim ∗∗∗ --------------------------------------------- Researchers say a 18-year-old programming error by Microsoft is creating a kernel bug that can be abused by an attacker. --------------------------------------------- http://threatpost.com/microsoft-programming-error-is-behind-dangerous-kerne… ∗∗∗ Interesting List of Windows Processes Killed by Malicious Software ∗∗∗ --------------------------------------------- Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity[The post Interesting List of Windows Processes Killed by Malicious Software has been first published on /dev/random] --------------------------------------------- https://blog.rootshell.be/2017/09/06/interesting-list-windows-processes-kil… ∗∗∗ Apache Struts “serialisation” vulnerability – what you need to know ∗∗∗ --------------------------------------------- A bug in Apache Struts, a popular software toolkit for building web services, could let crooks take control of your server. --------------------------------------------- https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vul… ∗∗∗ Hackers Are Distributing Backdoored Cobian RAT Hacking tool For Free ∗∗∗ --------------------------------------------- Nothing is free in this world. If you are searching for free ready-made hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a hoax. Last year, we reported about one such Facebook hacking tool that actually had the capability to hack a Facebook account, but yours and not the one you desire to hack. --------------------------------------------- https://thehackernews.com/2017/09/backdoored-hacking-tools.html ∗∗∗ Expired domain names and malvertising - Malwarebytes Labs ∗∗∗ --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/expired-domain-names-… ∗∗∗ Gefälschte Microsoft-Warnung führt zu Datendiebstahl ∗∗∗ --------------------------------------------- Kriminelle fälschen einen Microsoft-Warnhinweis. Darin behaupten sie, dass fremde Computer mit Schadsoftware befallen seien. Vermeintliche Opfer sollen sich deshalb an eine Kundenhotline wenden. In Wahrheit gelangen sie an Verbrecher/innen, die Zugang zum Computer fordern, Dateien kopieren und Zahlungsdaten stehlen. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/gefaelschte-microsoft-warnung-f… ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1567/">IBM Notes: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1567/ ∗∗∗ DFN-CERT-2017-1571/">Cisco ASR 5500 Series Routers: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1571/ ∗∗∗ DFN-CERT-2017-1574/">Cisco Prime Collaboration Provisioning Tool: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und die Manipulation beliebiger Systemdateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1574/ ∗∗∗ DFN-CERT-2017-1578/">Cisco ASR 920 Series Router: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und die Manipulation von Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1578/ ∗∗∗ DFN-CERT-2017-1579/">Cisco IOS, Cisco IOS XE: Zwei Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1579/ ∗∗∗ DFN-CERT-2017-1580/">Cisco IR800 Integrated Services Router: Eine Schwachstelle ermöglicht die komplette Kompromittierung des Systems ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1580/ ∗∗∗ Cisco Prime LAN Management Solution Token ID Reuse Lets Remote Authenticated Users Hijack the Target Users Session ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039285 ∗∗∗ Cisco Catalyst 4000 Series Switch Dynamic ACL Bug Lets Remote Users Bypass Port Access Controls on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039284 ∗∗∗ TYPO3 API Bug Lets Remote Users Obtain Potentially Sensitive Version Information on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039294 ∗∗∗ TYPO3 File Storage Access Control Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039293 ∗∗∗ TYPO3 Input Validation Flaw in Backend Forms Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039292 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2017
by Daily end-of-shift report 06 Sep '17

06 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-09-2017 18:00 − Mittwoch 06-09-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers Gain ‘Switch-Flipping’ Access to US Power Systems ∗∗∗ --------------------------------------------- Hackers who hit American utilities this summer had the power to cause blackouts, Symantec says. --------------------------------------------- https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power… see also: http://derstandard.at/2000063697965 see also: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targ… see also: https://www.bleepingcomputer.com/news/security/sabotage-warning-issued-on-h… ∗∗∗ SynAck Ransomware Sees Huge Spike in Activity ∗∗∗ --------------------------------------------- Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to submissions to the ID-Ransomware service and users who complained on the Bleeping Computer ransomware support forums. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-… ∗∗∗ Stop blaming users for security misses ∗∗∗ --------------------------------------------- Does the message to users about security need to change? Or does IT need to rebuild infrastructure so users can worry less about security? Wendy Nather, principal security strategist at Duo Security, talks with CSO senior writer Fahmida Rashid about how organizations can learn to do security right. --------------------------------------------- https://www.csoonline.com/video/80055/stop-blaming-users-for-security-misse… ∗∗∗ Security and education in the wake of WannaCry, Petya ∗∗∗ --------------------------------------------- Attacks occur for a variety of reasons, and in the wake of the most widespread ransomware attacks, WannaCry and Petya, many organizations are re-evaluating their security practices to figure out what went wrong.While those who were hit are still trying to understand where their security gaps are, others enterprises that rely on legacy systems and cant be patched are looking for ways to prevent being the next victim. No, the vulnerabilities attackers leverage are not new. They prey on systems --------------------------------------------- https://www.csoonline.com/article/3208384/backup-recovery/security-and-educ… ∗∗∗ The 15 biggest data breaches of the 21st centuryy ∗∗∗ --------------------------------------------- Data breaches happen daily, in too many places at once to keep count, take todays news of another Verizon breach that exposed the personal data of 6 million customers and a somewhat less dire breach at 14 Trump hotels. But what constitutes a huge breach versus a small one? CSO compiled a list of 15 of the biggest or most significant breaches of the 21st century.This list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for --------------------------------------------- https://www.csoonline.com/article/2130877/data-protection/the-15-biggest-da… ∗∗∗ ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month ∗∗∗ --------------------------------------------- The dreaded hacking group ShadowBrokers posted a new message, promising to deliver two data dumps a month as part its monthly dumps. The notorious group ShadowBrokers is back with announcing new interesting changes to their Dump Service. The hackers published a new message on the Steemit platform announcing new changed to their service. “Missing theshadowbrokers? If someone […]The post ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month appeared first on --------------------------------------------- http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html ∗∗∗ A Critical Apache Struts Security Flaw Makes It Easy To Hack Fortune 100 Firms ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. --------------------------------------------- https://apache.slashdot.org/story/17/09/05/2053200/a-critical-apache-struts… ∗∗∗ Hacker-Angriffe auf MongoDB treffen fast 27.000 Datenbanken ∗∗∗ --------------------------------------------- Erpresserische Angriffe auf sicherheitsanfällige MongoDB-Datenbanken liegen bei Online-Kriminellen bereits seit Ende letzten Jahres im Trend. Nun geht die Abzocke weiter: Drei neue Hackergruppen fordern Bitcoins im Tausch gegen Datenbankinhalte. --------------------------------------------- https://heise.de/-3822955 ∗∗∗ Security flaw affects 750,000 Estonian ID cards ∗∗∗ --------------------------------------------- An international group of cryptographers has flagged a serious security vulnerability in the chip embedded in Estonian ID cards, the country’s Information System Authority has announced. “Estonian experts assess there to be a possible security vulnerability and we will continue to verify the claims of the researchers,” said Taimar Peterkop, Director-General of the agency. “We have developed the primary solutions to mitigate the risk, and will do our utmost to ensure that --------------------------------------------- https://www.helpnetsecurity.com/2017/09/06/estonian-id-cards-security-flaw/ ===================== = Advisories = ===================== ∗∗∗ Apache Struts: Jetzt updaten und kritische Lücke schließen ∗∗∗ --------------------------------------------- Eine soeben veröffentlichte Version von Apache Struts schließt eine kritische Lücke. Die Entwickler und der Entdecker der Sicherheitslücke rechnen damit, dass diese bald für Angriffe auf Firmen missbraucht wird. Also ist jetzt zügiges Handeln angesagt. --------------------------------------------- https://heise.de/-3822948 ∗∗∗ Bugtraq: [security bulletin] HPESBUX03772 rev.1 - HP-UX BIND Service Running Named, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541129 ∗∗∗ DFN-CERT-2017-1558/">Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1558/ ∗∗∗ DFN-CERT-2017-1556/">Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1556/ ∗∗∗ DFN-CERT-2017-1563/">Google Chrome, Chromium: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1563/ ∗∗∗ DFN-CERT-2017-1561/">IBM AIX, IBM VIOS, IBM Java SDK: Mehrere Schwachstellen ermöglichen u.a. die komplette Kompromittierung des Systems ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1561/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22008080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2017
by Daily end-of-shift report 05 Sep '17

05 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 04-09-2017 18:00 − Dienstag 05-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Six-Year-Old "Loop Bug" Re-Discovered to Affect Almost All Major PDF Viewers ∗∗∗ --------------------------------------------- A bug discovered in an obscure PDF parsing library back in 2011 is also present in most of todays top PDF viewers, according to German software developer Hanno Böck. --------------------------------------------- https://www.bleepingcomputer.com/news/software/six-year-old-loop-bug-re-dis… ∗∗∗ TrustZone Downgrade Attack Opens Android Devices to Old Vulnerabilities ∗∗∗ --------------------------------------------- An attacker can downgrade components of the Android TrustZone technology to older versions that feature known vulnerabilities and use older exploits against smartphones running an up-to-date operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trustzone-downgrade-attack-o… ∗∗∗ The Mirai Botnet: A Look Back and Ahead At Whats Next, (Tue, Sep 5th) ∗∗∗ --------------------------------------------- It is a bit hard to nail down when the Mirai botnet really started. I usually use scans for port:2323 and the use of the password "xc3511" as an indicator. But of course, that isn't perfect. The very first scan using the password "xc3511" was detected by our sensor on February 26th, 2016, well ahead of Mirai. --------------------------------------------- https://isc.sans.edu/diary/rss/22786 ∗∗∗ Hunting Pastebin with PasteHunter ∗∗∗ --------------------------------------------- >From a security analytics and Threat Intelligence perspective Pastebin is a treasure trove of information. All content that is uploaded to pastebin and not explicitly set to private (which requires an account) is listed and can be viewed by anyone. --------------------------------------------- https://techanarchy.net/2017/09/hunting-pastebin-with-pastehunter/ ∗∗∗ Finger weg von SHA-1: 320 Millionen Passwörter geknackt ∗∗∗ --------------------------------------------- Wenn Webseitenbetreiber Passwörter von Kunden nicht sicher verwahren, ist der Super-GAU vorprogrammiert. Daran erinnern abermals Sicherheitsforscher, die in überschaubarer Zeit Millionen Passwörter entschlüsselt haben. --------------------------------------------- https://heise.de/-3822005 ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1547/">Liblouis: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1547/ ∗∗∗ DFN-CERT-2017-1554/">Apache Software Foundation Struts: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1554/ ∗∗∗ Security Notice - Statement About the Bootloader Vulnerabilities in Huawei Mobile Phones Disclosed at the USENIX Conference ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170905-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Jan 2017 – Includes Oracle Jan 2017 CPU affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22001461 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21996956 ∗∗∗ Arbitrary Code Execution in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/arbitrary-code-execution-in-typo3-cms/ ∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/information-disclosure-in-typo3-cms-1/ ∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/information-disclosure-in-typo3-cms/ ∗∗∗ Cross-Site Scripting in TYPO3 CMS Backend ∗∗∗ --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-typo3-cms-backend/ ∗∗∗ USN-3409-1: FontForge vulnerabilities ∗∗∗ --------------------------------------------- http://www.ubuntu.com/usn/usn-3409-1/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2017
by Daily end-of-shift report 04 Sep '17

04 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-09-2017 18:00 − Montag 04-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RTP Bleed: Mit Asterisk-Bug Telefonate belauschen ∗∗∗ --------------------------------------------- Ein Bug in der IP-Telefonielösung Asterisk ermöglicht Angreifern, Telefonate mitzuhören. Das Problem liegt in der zugrundeliegenden RTP-Implementierung. Ein erster Patch ist da, aber noch fehlerhaft. --------------------------------------------- https://www.golem.de/news/rtp-bleed-mit-asterisk-bug-telefonate-belauschen-… ∗∗∗ Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox ∗∗∗ --------------------------------------------- 2017-09-01 update: A different campaign using HoeflerText popups has been active during the same timeframe. I wrote about it here, but the only thing these two campaigns have in common is that they both used HoeflerText popups. --------------------------------------------- https://isc.sans.edu/forums/diary/Malspam+pushing+Locky+ransomware+tries+Ho… ∗∗∗ Fehler in API: Möglicherweise Millionen Kontaktdaten von Instagram-Usern öffentlich ∗∗∗ --------------------------------------------- Wegen eines Bug in der Kommunikationsschnittstelle zu anderen Apps müssen Millionen Instagram-Nutzer um ihre Privatsphäre fürchten. Betroffen sind laut der Facebook-Tochter nicht nur Prominente. --------------------------------------------- https://heise.de/-3820497 ∗∗∗ Mehrere Sicherheitslücken in RubyGems ∗∗∗ --------------------------------------------- Rubys Paketsystem RubyGems enthält Schwachstellen, die unter anderem DoS-Angriffe und DNS-Hijacking ermöglichen. Ein Update auf die aktuelle Version 2.6.13 bannt die Gefahr. --------------------------------------------- https://heise.de/-3820891 ∗∗∗ Mehrere große Torrent-Seiten offenbar nach Attacken offline ∗∗∗ --------------------------------------------- Eine Reihe prominenter Plattformen wie Torrentproject sind nicht mehr erreichbar – Domains suspendiert, Überlastungsangriffe --------------------------------------------- http://derstandard.at/2000063553913 ===================== = Advisories = ===================== ∗∗∗ DSA-3960 gnupg - security update ∗∗∗ --------------------------------------------- Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that GnuPG is prone to a local side-channel attack allowing full key recovery for RSA-1024. --------------------------------------------- https://www.debian.org/security/2017/dsa-3960 ∗∗∗ DSA-3961 libgd2 - security update ∗∗∗ --------------------------------------------- A double-free vulnerability was discovered in the gdImagePngPtr()function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3961 ∗∗∗ DSA-3962 strongswan - security update ∗∗∗ --------------------------------------------- A denial of service vulnerability was identified in strongSwan, an IKE/IPsecsuite, using Googles OSS-Fuzz fuzzing project. --------------------------------------------- https://www.debian.org/security/2017/dsa-3962 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2017
by Daily end-of-shift report 01 Sep '17

01 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-08-2017 18:00 − Freitag 01-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Boobytrapped Word File Installs Locky Ransomware When You Close the Document ∗∗∗ --------------------------------------------- Summer vacation is over! During the past week, security researchers have discovered several distribution campaigns pushing the Locky ransomware via different methods, including a new variant that features one hell of a clever trick. --------------------------------------------- https://www.bleepingcomputer.com/news/security/boobytrapped-word-file-insta… ∗∗∗ US Government Site Was Hosting Ransomware ∗∗∗ --------------------------------------------- As recently as Wednesday afternoon, a U.S. government website was hosting a malicious JavaScript downloader that led victims to installations of Cerber ransomware. The malware link has since been taken down. --------------------------------------------- http://threatpost.com/us-government-site-removes-link-to-cerber-ransomware-… ∗∗∗ Malware writer offers free trojan to hackers ... with one small drawback ∗∗∗ --------------------------------------------- Beware of geeks bearing Cobian RAT gifts Those looking on the dark web for malware capable of hijacking computers might have thought they were getting a bargain when a free trojan appeared on various online souks over the past few months. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/free_trojan… ∗∗∗ Lücke in HPE Operations Orchestration ermöglicht Remote Code Execution ∗∗∗ --------------------------------------------- Die Software Operations Orchestration erlaubt in allen Versionen vor 10.80 die Codeausführung aus der Ferne. Hewlett Packard Enterprise rät zum Update. Auch für zwei Performancetest-Tools des Herstellers stehen Aktualisierungen bereit. --------------------------------------------- https://heise.de/-3819782 ===================== = Advisories = ===================== ∗∗∗ OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-243-04 ∗∗∗ Moxa SoftCMS Live Viewer ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-243-05 ∗∗∗ Automated Logic Corporation ALC WebCTRL, Liebert SiteScan, Carrier i-VU ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-150-01 ∗∗∗ DFN-CERT-2017-1542/">Digium Asterisk, Digium Certified Asterisk: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1542/ ∗∗∗ SSA-866217: SMBv1 Vulnerabilities in ACUSON S1000/2000/3000 ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-866217… ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Honor 5S Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170901-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei APKs ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170901-… ∗∗∗ IBM Security Bulletin: IBM Expeditor is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002103 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21999385 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by a denial of service vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21999384 ∗∗∗ IBM Security Bulletin: IBM Notes is affected by Open Source zlib vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21997877 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a vulnerability in Curl (CVE-2016-7167) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007553 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in bash (CVE-2016-9401, CVE-2016-7543, CVE-2016-0634) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007554 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Development Package for Apache Spark ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007416 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Network Protection ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007918 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in Linux kernel ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007552 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by potential issues of XML External Entity Injection (CVE-2017-1458) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007551 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by potential issues of Cross-Site Scripting (CVE-2017-1457) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007550 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security has updated commons-fileupload for known vulnerabilities (CVE-2016-3092) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007539 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a less-secure algorithm during negotiations vulnerability (CVE-2017-1491) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007535 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2017
by Daily end-of-shift report 31 Aug '17

31 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-08-2017 18:00 − Donnerstag 31-08-2017 18:00 Handler: Robert Waldner Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Dissecting the Chrome Extension Facebook malware ∗∗∗ --------------------------------------------- The Facebook malware that spread last week was dissected in a collaboration with Kaspersky Lab and Detectify. We were able to get help from the involved companies and cloud services to quickly shut down parts of the attack to mitigate it as fast as possible. --------------------------------------------- http://securelist.com/dissecting-the-chrome-extension-facebook-malware/8171… ∗∗∗ Cyber Security Assessment Netherlands 2017: Digital resilience is lagging behind the increasing threat ∗∗∗ --------------------------------------------- The digital resilience of individuals and organisations is lagging behind the increasing threat. Government, business and citizens take many steps to increase digital resilience, but this is not happening fast enough. This is apparent from the Cyber Security Assessment Netherlands 2017 (CSAN 2017), which demissionary State Secretary Dijkhoff sent to parliament in June and which is being published in English today. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/cyber-security-assessment-n… ∗∗∗ A Framework for Cyber Security Insurance ∗∗∗ --------------------------------------------- New paper: "Policy measures and cyber insurance: a framework," by Daniel Woods and Andrew Simpson, Journal of Cyber Policy, 2017.Abstract: The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public-private partnership. --------------------------------------------- https://www.schneier.com/blog/archives/2017/08/a_framework_for.html ∗∗∗ Mining Adminers – Hackers Scan the Internet For DB Scripts ∗∗∗ --------------------------------------------- Hackers are constantly scanning the internet for exploitable sites, which is why even small, new sites should be fully patched and protected. At the same time, it is not feasible to scan the whole internet with 330+ million domains and billions of web pages. Even Google can’t do it, but hackers are always getting better at reconnaissance. Despite these limitations, scanning just 1% of the internet allows attackers to discover thousands of vulnerable sites. --------------------------------------------- https://blog.sucuri.net/2017/08/mining-adminers-hackers-scan-the-internet-f… ∗∗∗ Herzschrittmacher von St. Jude Medical: Firmware-Patches gegen Sicherheitslücken ∗∗∗ --------------------------------------------- Versierte Hacker können Herzschrittmacher der Marke Abbott angreifen, um Befehle auszuführen und Patientendaten zu stehlen. Implantatträgern wird ein baldiger Arztbesuch empfohlen, um wichtige Firmware-Updates zu installieren. --------------------------------------------- https://heise.de/-3817954 ∗∗∗ Embedded IoT: Krypto-Bibliothek mbed TLS für Lauschattacken anfällig ∗∗∗ --------------------------------------------- Unter gewissen Umständen könnten Angreifer als Man in the Middle den Informationsaustausch von Geräten, die auf mbed TLS setzen, mitschneiden. Abgesicherte Versionen stehen bereit. --------------------------------------------- https://heise.de/-3819197 ∗∗∗ Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities ∗∗∗ --------------------------------------------- Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victims machine. --------------------------------------------- http://blog.talosintelligence.com/2017/08/vuln-spotlight-multiple-gdk.html ===================== = Advisories = ===================== ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Compute denial of service vulnerability (CVE-2016-7498) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022227 ∗∗∗ IBM Security Bulletin: Vulnerability in libtirpc affects Power Hardware Management Console (CVE-2017-8779) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022176 ∗∗∗ IBM Security Bulletin: Vulnerabilities in BIND affect Power Hardware Management Console ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022177 ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by python oslo.middleware package information disclosure (CVE-2017-2592) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022229 ∗∗∗ IBM Security Bulletin: IBM PowerVC is impacted by OpenStack Glance server-side request forgery (CVE-2017-7200) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022228 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007046 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2017 CPU ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2017
by Daily end-of-shift report 30 Aug '17

30 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-08-2017 18:00 − Mittwoch 30-08-2017 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WireX: Google entfernt 300 DDoS-Apps aus dem Playstore ∗∗∗ --------------------------------------------- Google hat ein DDoS-Botnetz aus Android-Geräten lahmgelegt - und dazu 300 Apps aus dem Playstore entfernt. Rund 70.000 Smartphones wurden infiziert. (DoS, Virus) --------------------------------------------- https://www.golem.de/news/wirex-google-entfernt-300-ddos-apps-aus-dem-plays… ∗∗∗ Introducing WhiteBear ∗∗∗ --------------------------------------------- As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. It is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private report. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. --------------------------------------------- http://securelist.com/introducing-whitebear/81638/ ∗∗∗ Security baseline for Windows 10 “Creators Update” (v1703) – FINAL ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Windows 10 “Creators Update,” also known as version 1703, “Redstone 2,” or RS2. The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs, custom ADMX files for Group Policy settings, and all the settings in spreadsheet... --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-f… ∗∗∗ Proof that HMAC-DRBG has No Back Doors ∗∗∗ --------------------------------------------- New research: "Verified Correctness and Security of mbedTLS HMAC-DRBG," by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel.Abstract: We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security -- that its output is pseudorandom -- using a hybrid game-based proof. --------------------------------------------- https://www.schneier.com/blog/archives/2017/08/proof_that_hmac.html ===================== = Advisories = ===================== ∗∗∗ Update to Security Bulletin (APSB17-24) ∗∗∗ --------------------------------------------- The Security Bulletin (APSB17-24) published on August 8 regarding updates for Adobe Acrobat and Reader has been updated to reflect the availability of new updates as of August 29. The August 29 updates resolve a functional regression with XFA forms functionality … --------------------------------------------- https://blogs.adobe.com/psirt/?p=1484 ∗∗∗ DFN-CERT-2017-1525: Wireshark: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Wireshark können von einem entfernten, nicht authentisierten Angreifer für verschiedene Denial-of-Service (DoS)-Angriffe ausgenutzt werden. Die Ausnutzung der Schwachstellen erfordert die Verarbeitung speziell präparierter Datenpakete oder Packet-Trace-Dateien mit den Dissektoren für IrCOMM, Modbus, Profinet I/O oder MSDP. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1525/ ∗∗∗ DFN-CERT-2017-1523: Libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- Eine Schwachstelle in Libgcrypt ermöglicht einem lokalen, einfach authentisierten Angreifer das Ausspähen privaten Schlüsselmaterials. Das GnuPG-Projekt hat die Schwachstelle in den Versionen 1.7.9 und 1.8.1 behoben. Der Quellcode dieser Versionen steht zum Herunterladen zur Verfügung. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1523/ ∗∗∗ Multiple vulnerabilities in RubyGems ∗∗∗ --------------------------------------------- The following vulnerabilities have been reported. * a DNS request hijacking vulnerability * an ANSI escape sequence vulnerability * a DoS vulernerability in the query command * a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files --------------------------------------------- https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-ru… ∗∗∗ Cisco unveils LabVIEW code execution flaw that won’t be patched ∗∗∗ --------------------------------------------- LabVIEW, the widely used system design and development platform developed by National Instruments, sports a memory corruption vulnerability that could lead to code execution. LabVIEW is commonly used for building data acquisition, instrument control, and industrial automation systems on a variety of operating systems: Windows, macOS, Linux and Unix. The vulnerability (CVE-2017-2779) The vulnerability was discovered by Cory Duplantis of Cisco Talos earlier this year, and reported to the company. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/30/labview-code-execution-flaw/ ∗∗∗ Abbott Laboratories’ Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 ∗∗∗ AzeoTech DAQFactory ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-241-02 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in The FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170830-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007392 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=swg22006695 ∗∗∗ IBM Security Bulletin: Vulnerabilities in httpd affect Power Hardware Management Console ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022175 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Power Hardware Management Console (CVE-2017-1194) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022178 ∗∗∗ IBM Security Bulletin: IBM Transformation Extender Advanced and IBM Standards Processing Engine are susceptible to a vulnerability in 10x (CVE-2017-1152) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004796 ∗∗∗ ImageMagick Heap Overflow in TracePoint() in Processing Files Lets Remote Users Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039246 ∗∗∗ SSA-535640 (Last Update 2017-08-30): Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-535640… ∗∗∗ SSA-771218 (Last Update 2017-08-30): Vulnerability in 7KM PAC Switched Ethernet PROFINET expansion module from the SENTRON portfolio ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-771218… ∗∗∗ SSA-087240 (Last Update 2017-08-30): Vulnerabilities in SIEMENS LOGO! ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-087240… ∗∗∗ HPESBGN03765 rev.2 - HPE LoadRunner and HPE Performance Center, Remote Disclosure of Information ∗∗∗ --------------------------------------------- https://h20565.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2017
by Daily end-of-shift report 29 Aug '17

29 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 28-08-2017 18:00 − Dienstag 29-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Metadata From IoT Traffic Exposes In-Home User Activity ∗∗∗ --------------------------------------------- Metadata from web traffic generated by smart devices installed in a home can reveal quite a lot of information about the owners habits and lifestyle. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/technology/metadata-from-iot-traffic-… ∗∗∗ "Die ganzen Kosten und Risiken trägt im Moment der Kunde" ∗∗∗ --------------------------------------------- Das absolut Mindeste muss sein, dass der Hersteller für alle Sicherheitslücken für den gesamten Nutzungszeitraum der Software Patches für Sicherheitslücken zur Verfügung stellen muss. Wenn es nach mir ginge, bekäme der Kunde eine Pauschale pro Arbeitsplatz und Tag ohne Patch ausgezahlt, und zwar nicht seit das Sicherheitsloch öffentlich bekannt wurde, sondern – wenn das vorher war – seit der Hersteller davon wusste. --------------------------------------------- https://www.eco.de/2017/news/die-ganzen-kosten-und-risiken-traegt-im-moment… ∗∗∗ Android und Windows: MTP-Bug lässt Dateien verschwinden ∗∗∗ --------------------------------------------- Vorsicht mit Android-Geräten, die per USB an einen PC mit Windows 10 angeschlossen sind: Bei harmlosen Aufräumarbeiten können Fotos und andere Dateien unwiderruflich verloren gehen. Betroffen sind fast alle Android-Geräte außer den neueren von Samsung. --------------------------------------------- https://heise.de/-3815535 ∗∗∗ Tech Firms Team Up to Take Down ‘WireX’ Android DDoS Botnet ∗∗∗ --------------------------------------------- A half dozen technology and security companies -- some of them competitors -- issued the exact same press release today. This unusual level of cross-industry collaboration caps a successful effort to dismantle WireX, an extraordinary new crime machine comprising tens of thousands of hacked Android mobile devices that was used this month to launch a series of massive cyber attacks. Experts involved in the takedown warn that WireX marks the emergence of a new class of attack tools that are more --------------------------------------------- https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-a… ∗∗∗ BSI-Studie zur Analyse des Linux-Zufallszahlengenerators wird fortgesetzt ∗∗∗ --------------------------------------------- Im Rahmen einer Langzeitstudie untersucht das Bundesamt für Sicherheit in der Informationstechnik (BSI) seit 2012 die kryptografische Eignung des Linux-Zufallszahlengenerators "/dev/random". Der aktuelle Untersuchungsbericht umfasst sowohl den aktuellen als auch alle vorigen Linux-Kernel und steht in englischer Sprache auf der BSI-Webseite zum Download zur Verfügung. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Studie_Linu… ===================== = Advisories = ===================== ∗∗∗ DSA-3958 fontforge - security update ∗∗∗ --------------------------------------------- It was discovered that FontForge, a font editor, did not correctlyvalidate its input. An attacker could use this flaw by tricking a userinto opening a maliciously crafted OpenType font file, thus causing adenial-of-service via application crash, or execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3958 ∗∗∗ DSA-3957 ffmpeg - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in FFmpeg, a multimediaplayer, server and encoder. These issues could lead to Denial-of-Serviceand, in some situation, the execution of arbitrary code. --------------------------------------------- https://www.debian.org/security/2017/dsa-3957 ∗∗∗ VU#403768: Akeo Consulting Rufus fails to update itself securely ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/403768 ∗∗∗ DFN-CERT-2017-1514: MISP: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1514/ ∗∗∗ DFN-CERT-2017-1512: OpenSSL: Eine Schwachstelle ermöglicht das Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1512/ ∗∗∗ DFN-CERT-2017-1515: Ghostscript: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1515/ ∗∗∗ DFN-CERT-2017-1517: SQLite: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1517/ ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170807-… ∗∗∗ Security Advisory - App Lock Bypass Vulnerability in Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170829-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025659 ∗∗∗ Pulse Connect Secure Access Control Flaw in diag.cgi Lets Remote Users Conduct Cross-Site Request Forgery Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039242 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2017
by Daily end-of-shift report 28 Aug '17

28 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-08-2017 18:00 − Montag 28-08-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ===================== = Advisories = ===================== ∗∗∗ Disabling Intel ME 11 via undocumented mode ∗∗∗ --------------------------------------------- .. researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. governments High Assurance Platform (HAP) program. --------------------------------------------- http://blog.ptsecurity.com/2017/08/disabling-intel-me.html ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017 /huawei-sa-20170807-01-smartphone-en ∗∗∗ IBM Security Bulletin: OpenSSL Security Advisory [22 Sep 2016 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010571 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sametime Community Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006228 ∗∗∗ IBM Security Bulletin: IBM Cognos Analytics is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007242 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Sametime Web Player (CVE-2016-2980) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006447 ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM Sametime Connect client (CVE-2016-0243, CVE-2016-2974) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006444 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Cisco SAN switches and directors (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010566 ∗∗∗ IBM Security Bulletin: Various Security Vulnerabilities in IBM Sametime Proxy Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006441 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2017
by Daily end-of-shift report 25 Aug '17

25 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-08-2017 18:00 − Freitag 25-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researcher Releases Fully Working Exploit Code for iOS Kernel Vulnerability ∗∗∗ --------------------------------------------- Adam Donenfeld, a researcher with mobile security firm Zimperium, has published today proof-of-concept code for zIVA — a kernel exploit that affects iOS 10.3.1 and previous versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-releases-fully-wo… ∗∗∗ New EMPTY CryptoMix Ransomware Variant Released ∗∗∗ --------------------------------------------- Today, MalwareHunterTeam discovered a new variant of the CryptoMix ransomware that is appending the .EMPTY extension to encrypted file names. Considering that the previous variant used ERROR as the previous extension and now uses EMPTY, it is clear that the developers are running out of extensions to use. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomwa… ∗∗∗ Mobile malware factories: Android apps for creating ransomware ∗∗∗ --------------------------------------------- Mobile ransomware can now be created automatically without the need to write code. Having little to no coding experience is no longer a problem for wannabe mobile malware authors, thanks to Trojan Development Kits (TDKs). Criminals can now install an app that will allow them to quickly and easily create Android ransomware with their own devices. --------------------------------------------- https://www.symantec.com/connect/blogs/mobile-malware-factories-android-app… ∗∗∗ Analysis of Ronggolawe Ransomware and How to Block It ∗∗∗ --------------------------------------------- ... Web server ransomware is not new. In fact we witnessed first evidence of it back at 2015 and most recently in the well-known attack aimed at the South Korean web hosting company NAYANA. Unfortunately, today ransomware targeted at web servers is even more popular especially given the availability of open source malware easily found in public repositories such as GitHub. Most recently we have seen reports of a new web server ransomware called Ronggolawe, the code name for AwesomeWare. --------------------------------------------- https://www.imperva.com/blog/2017/08/ronggolawe-ransomware-how-to-block-it/ ∗∗∗ The Adventure of the Final Intel AMT Problem ∗∗∗ --------------------------------------------- Its high time to learn how cunning cyber criminals can use Intel AMT powerful capabilities to achieve their malicious goals. See the captivating story of hacking Intel AMT with all its twists and turns and awe-inspiring details with your own eyes. The freshest and the hottest presentation “MythBusters: CVE-2017-5689 – How Intel AMT could be broken completely” from HITB 2017. --------------------------------------------- https://embedi.com/news/adventure-final-intel-amt-problem ∗∗∗ Sophos UTM: Update kümmert sich um alte und neue Sicherheitslücken ∗∗∗ --------------------------------------------- In der UTM von Sophos klaffen mehrere Schwachstellen. Eine fehlerbereinigte Version steht zum Download bereit. --------------------------------------------- https://heise.de/-3812308 ∗∗∗ Android Oreo: Das sind die Sicherheits-Neuerungen bei Android 8.0 ∗∗∗ --------------------------------------------- Google härtet Android mit Google Play Protect, Schutzfunktionen für die System-UI, strikteren Regeln für nachgeladenen Code aus Drittquellen und erweiterter Isolierung von Browser-Prozessen. --------------------------------------------- https://heise.de/-3812341 ===================== = Advisories = ===================== ∗∗∗ ZDI-17-697: (0Day) Delta Industrial Automation WPLSoft dvp File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Delta Industrial Automation WPLSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-697/ ∗∗∗ ESB-2017.2137 - [Appliance] WPLSoft, ISPSoft and PMSoft ∗∗∗ --------------------------------------------- This bulletin contains ten (10) Zero Day Initiative security advisories. --------------------------------------------- https://www.auscert.org.au/bulletins/51578/print ∗∗∗ Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-236-01 ∗∗∗ Rockwell Automation Allen-Bradley Stratix and ArmoStratix ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-04 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Light ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007508 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2017
by Daily end-of-shift report 24 Aug '17

24 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-08-2017 18:00 − Donnerstag 24-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 90% of Companies Get Attacked with Three-Year-Old Vulnerabilities ∗∗∗ --------------------------------------------- A Fortinet report released this week highlights the importance of keeping secure systems up to date, or at least a few cycles off the main release, albeit this is not recommended, but better than leaving systems unpatched for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/90-percent-of-companies-get-… ∗∗∗ Whatsapp und Signal: Zerodium bietet 500.000 US-Dollar für Messenger-Exploits ∗∗∗ --------------------------------------------- Die staatliche Nachfrage nach Sicherheitslücken für die Quellen-TKÜ zeigt offenbar Wirkung. Schwachstellen in Whatsapp, Signal und anderen Messengern werden besser honoriert als Codeausführung in Windows. --------------------------------------------- https://www.golem.de/news/whatsapp-und-signal-zerodium-bietet-500-000-us-do… ∗∗∗ Deprecated, Insecure Apple Authorization API Can Be Abused to Run Code at Root ∗∗∗ --------------------------------------------- An insecure Apple authorization API is used by numerous popular third-party application installers and can be abused by attackers ro run code as root. --------------------------------------------- http://threatpost.com/deprecated-insecure-apple-authorization-api-can-be-ab… ∗∗∗ Decrypting NotPetya/Petya: Tools for Recovering Your MFT After an Attack ∗∗∗ --------------------------------------------- In this blog post, we are making our findings, and tools, for decrypting NotPetya/Petya available to the general public. With the aid of the supplied tools, almost all of the Master File Table (MFT) can be successfully recovered within minutes. --------------------------------------------- https://www.crowdstrike.com/blog/decrypting-notpetya-tools-for-recovering-y… ∗∗∗ Im giving up on HPKP ∗∗∗ --------------------------------------------- HTTP Public Key Pinning is a very powerful standard that allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. Whilst HPKP can offer a lot of protection, it can also cause a lot of harm too. --------------------------------------------- https://scotthelme.co.uk/im-giving-up-on-hpkp/ ∗∗∗ Crystal Finance Millennium used to spread malware ∗∗∗ --------------------------------------------- [...] it was revealed the Crystal Finance Millennium website was indeed hacked, and serving three different flavors of malware. In this short blog post, well take a look at the malware variants that were distributed, and provide minimal background. --------------------------------------------- https://bartblaze.blogspot.de/2017/08/crystal-finance-millennium-used-to.ht… ∗∗∗ Malware über Facebook-Messenger im Umlauf, greift Windows und macOS an ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen aktuell vor einer Masche, mit der Facebook-Nutzer dazu verleitet werden sollen, trojanisierte Fake-Software zu installieren. --------------------------------------------- https://heise.de/-3811842 ∗∗∗ Kritische Sicherheitslücke in HPE iLo: "So schnell wie möglich handeln" ∗∗∗ --------------------------------------------- Die Management-Software Integrated Lights-out 4 (iLO 4) von HP-Proliant-Servern enthält eine Sicherheitslücke, über die Angreifer aus der Ferne Schadcode ausführen können, ohne sich anmelden zu müssen. --------------------------------------------- https://heise.de/-3811873 ===================== = Advisories = ===================== ∗∗∗ Cisco Meeting Server Command Injection and Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI command-parsing code of Cisco Meeting Server could allow an authenticated, local attacker to perform command injection and escalate their privileges to root. The attacker must first authenticate to the application with valid administrator credentials.The vulnerability is due to insufficient validation of user-supplied input at the CLI for certain commands. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1497/">Cacti: Zwei Schwachstellen ermöglichen Cross-Site-Scripting-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1497/ ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK affects Sametime Community (CVE-2016-2183) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006212 ∗∗∗ IBM Security Bulletin: Vulnerability found in OpenSSL release used by Windows and z/OS Security Identity Adapters ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007428 ∗∗∗ IBM Security Bulletin: Various Security vulnerabilities in IBM Sametime Media Server (CVE-2016-2970, CVE-2016-0729, CVE-2016-4449) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006233 ∗∗∗ HPESBHF03769 rev.1 - HPE Integrated Lights-out 4 (iLO 4) Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2017
by Daily end-of-shift report 23 Aug '17

23 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-08-2017 18:00 − Mittwoch 23-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ROPEMAKER Lets Attackers Change Your Emails After Delivery ∗∗∗ --------------------------------------------- A new email attack scenario nicknamed ROPEMAKER allows a threat actor to change the content of emails received by targets via remote CSS files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ropemaker-lets-attackers-cha… ∗∗∗ Google Play Store Security Scans Tricked by ...Sigh... In-Dev Malware ∗∗∗ --------------------------------------------- Google has yet to remove two apps infected with dangerous malware that are currently still available for download via the official Google Play Store. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-play-store-security-s… ∗∗∗ Malicious script dropping an executable signed by Avast?, (Wed, Aug 23rd) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting sample that I started to analyze... It reached my spam trap attached to an email in Portuguese with the subject: "Venho por meio desta solicitar orçamento dos produtos” ("I hereby request the products budget”). --------------------------------------------- https://isc.sans.edu/diary/rss/22748 ∗∗∗ Apple iCloud Keychain easily slurped, ElcomSoft says ∗∗∗ --------------------------------------------- Credentials stored in the cloud succumb to forensic software ElcomSoft, the Russia-based maker of forensic software, has managed to find a way to access the data stored in Apples iCloud Keychain, if Apple ID account credentials are available. --------------------------------------------- http://www.theregister.co.uk/2017/08/22/apple_icloud_keychain_easily_slurpe… ∗∗∗ Is the Power Grid Getting More Vulnerable to Cyber Attacks? ∗∗∗ --------------------------------------------- Rising computerization opens doors for increasingly aggressive adversaries, but defenses are better than many might think. --------------------------------------------- https://www.scientificamerican.com/article/is-the-power-grid-getting-more-v… ∗∗∗ Ukrainian Security Firm Warns of Another Massive Global Cyberattack ∗∗∗ --------------------------------------------- A new wave of cyberattacks could be launched as soon as this week, Ukrainian security firm ISSP warns, pointing out that the main objective would be taking down networks on August 24 when Ukraine celebrates the Independence Day. --------------------------------------------- http://news.softpedia.com/news/ukrainian-security-firm-warns-massive-global… ∗∗∗ Google schmeißt 500 potenzielle Spionage-Apps aus App Store ∗∗∗ --------------------------------------------- Ein Software Development Kit für Werbeeinblendungen soll Schnüffelfunktionen mitbringen. Damit ausgestattete Android-Apps weisen über 100 Millionen Downloads auf, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-3810366 ∗∗∗ Hintergrund: Hardware-Fuzzing: Hintertüren und Fehler in CPUs aufspüren ∗∗∗ --------------------------------------------- Ein Prozessor-Fuzzer analysiert Hardware, der man normalerweise blind vertrauen muss. In ersten Testläufen wurde er bei nahezu allen Architekturen fündig und spürte etwa undokumentierte CPU-Befehle auf. Sandsifter ist kostenlos und frei verfügbar; der Autor hilft sogar bei der Analyse. --------------------------------------------- https://heise.de/-3809408 ===================== = Advisories = ===================== ∗∗∗ DSA-3952 libxml2 - security update ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in libxml2, a library providingsupport to read, modify and write XML and HTML files. A remote attackercould provide a specially crafted XML or HTML file that, when processedby an application using libxml2, would cause a denial-of-service againstthe application, information leaks, or potentially, the execution ofarbitrary code with the privileges of the user running the application. --------------------------------------------- https://www.debian.org/security/2017/dsa-3952 ∗∗∗ Automated Logic Corporation WebCTRL, i-VU, SiteScan ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-01 ∗∗∗ SpiderControl SCADA Web Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-03 ∗∗∗ SpiderControl SCADA MicroBrowser ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-234-02 ∗∗∗ Security Advisory - Two Command Injection Vulnerabilities in The FusionSphere OpenStack ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170823-… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by a Network Security Services (NSS) vulnerability (CVE-2017-5461) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005055 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007464 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSource NTP affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002233 ∗∗∗ Multiple GNU Binutils vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23729200 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2017
by Daily end-of-shift report 22 Aug '17

22 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 21-08-2017 18:00 − Dienstag 22-08-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gestohlene Nacktfotos von Ski-Star Lindsey Vonn im Netz ∗∗∗ --------------------------------------------- Unbekannte haben das Handy von US-Skistar Lindsey Vonn (32) geknackt und Nacktfotos von ihr und ihrem Ex-Freund Tiger Woods (41) gestohlen. --------------------------------------------- https://futurezone.at/digital-life/gestohlene-nacktfotos-von-ski-star-linds… ∗∗∗ Unsichere Passwörter: Angriffe auf Microsoft-Konten um 300 Prozent gestiegen ∗∗∗ --------------------------------------------- Noch immer haben viele Nutzer schlechte Passwörter und benutzen diese gleich für mehrere Accounts. Das geht aus Microsofts eigener Sicherheitsanalyse hervor, die Trends aus dem Enterprise- und Privatkundengeschäft präsentiert. --------------------------------------------- https://www.golem.de/news/unsichere-passwoerter-angriffe-auf-microsoft-kont… ∗∗∗ Enigma ICO Heist Robs Nearly $500,000 in Ethereum From Investors ∗∗∗ --------------------------------------------- Cryptos fine and good, but make sure youre looking after the basics. --------------------------------------------- https://www.wired.com/story/enigma-ico-ethereum-heist ∗∗∗ Who’s Blocked by Bad Guys? ∗∗∗ --------------------------------------------- Just a quick post about an interesting file found in a phishing kit. Bad guys use common techniques to prevent crawlers, scanners or security companies from accessing their pages. Usually, .. --------------------------------------------- https://blog.rootshell.be/2017/08/21/whos-blocked-bad-guys/ ∗∗∗ Erpressungstrojaner WannaCry hat erneut zugeschlagen ∗∗∗ --------------------------------------------- Offenbar hat LG bei einigen Service-Systemen wichtige Sicherheitspatches nicht installiert und WannaCry infizierte diverse Computer des Unternehmens in Südkorea. Dabei soll es aber zu keinen größeren Schäden gekommen sein. --------------------------------------------- https://heise.de/-3809790 ∗∗∗ Kriminelle stehlen Telefonnummern von Bitcoin-Investoren ∗∗∗ --------------------------------------------- Bitten Mobilfunker um Transfer der Nummer auf neues Gerät – oft Verluste in Millionenhöhe --------------------------------------------- http://derstandard.at/2000062971633 ∗∗∗ Hacker drohen, "Game of Thrones"-Finale vorab online zu stellen ∗∗∗ --------------------------------------------- HBO hat sich bislang geweigert, Lösegeld zu bezahlen – zwei von sechs Folgen waren früher ins Netz gelangt --------------------------------------------- http://derstandard.at/2000062960237 ∗∗∗ Betrug: Mobilfunkbetreiber warnen vor "Ping Calls" ∗∗∗ --------------------------------------------- Hinter unbekannter Nummer auf dem Handydisplay steckt manchmal ein Betrüger --------------------------------------------- http://derstandard.at/2000062990431 ===================== = Advisories = ===================== ∗∗∗ Sicherheitsupdate: Thunderbird updaten und sicher konfigurieren ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Mozilla Thunderbird ermöglichen einem entfernten, nicht authentisierten Angreifer das Ausführen beliebigen Programmcodes, das Umgehen von Sicherheitsvorkehrungen, die Darstellung falscher Informationen und verschiedener Denial-of-Service (DoS)-Angriffe. --------------------------------------------- https://www.kuketz-blog.de/sicherheitsupdate-thunderbird-updaten-und-sicher… ∗∗∗ DSA-3949 augeas - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3949 ∗∗∗ Multiple vulnerabilities in Progress Sitefinity ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… ∗∗∗ Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabil… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2017
by Daily end-of-shift report 21 Aug '17

21 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-08-2017 18:00 − Montag 21-08-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researchers Win $100,000 for New Spear-Phishing Detection Method ∗∗∗ --------------------------------------------- Facebook has awarded this years Internet Defense Prize worth $100,000 to a team of researchers from the University of California, Berkeley, who came up with a new method of detecting spear-phishing attacks in closely monitored enterprise networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-win-100-000-for-… ∗∗∗ Wie Hacker große Frachtschiffe ins Visier nehmen ∗∗∗ --------------------------------------------- Mithilfe von Malware können Handelsschiffe lahmgelegt und manövrierunfähig gemacht werden. Kriminelle könnten sogar die Kollision zweier Schiffe herbeiführen. --------------------------------------------- https://futurezone.at/digital-life/wie-hacker-grosse-frachtschiffe-ins-visi… ∗∗∗ Personal Security Guide – iOS/Android ∗∗∗ --------------------------------------------- We’ve covered a lot of personal security practices, but many people forget how important it is to secure mobile devices, which are riddled with personal information. --------------------------------------------- https://blog.sucuri.net/2017/08/personal-security-guide-iosandroid.html ∗∗∗ Warning: Enigma Hacked; Over $470,000 in Ethereum Stolen So Far ∗∗∗ --------------------------------------------- More Ethereum Stolen! An unknown hacker has so far stolen more than $471,000 worth of Ethereum—one of the most popular and increasingly valuable cryptocurrencies—in yet another Ethereum hack that hit the popular cryptocurrency investment platform, Enigma. --------------------------------------------- http://thehackernews.com/2017/08/enigma-cryptocurrency-hack.html ∗∗∗ DNSSEC Key Signing Key Rollover ∗∗∗ --------------------------------------------- On October 11, 2017, the Internet Corporation for Assigned Names and Numbers (ICANN) will be changing the Root Zone Key Signing Key (KSK) used in the domain name system (DNS) Security Extensions (DNSSEC) protocol. DNSSEC is a set of DNS protocol extensions used to digitally sign DNS information, which is an important part of preventing domain name hijacking. Updating the DNSSEC KSK is a crucial security step, similar to updating a PKI Root Certificate. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/08/21/DNSSEC-Key-Signing… ∗∗∗ Zero-Day-Lücken im PDF Reader: Foxit will doch patchen ∗∗∗ --------------------------------------------- Ursprünglich wollte Foxit die zwei Lücken, die Angreifern unter bestimmten Umständen die lokale Codeausführung ermöglichen, nicht schließen. Mittlerweile hat sich der Hersteller aber anders entschieden. --------------------------------------------- https://heise.de/-3807762 ∗∗∗ SyncCrypt: Neue Ransomware lauert in JPG-Dateien ∗∗∗ --------------------------------------------- Um AV-Software auszutricksen, verbirgt sich die Ransomware SyncCrypt in Bilddateien. Einmal auf dem System, wird sie per Skript extrahiert und ausgeführt. Kostenlose Entschlüsselungs-Tools gibt es bislang nicht. --------------------------------------------- https://heise.de/-3808437 ∗∗∗ Blowing the Whistle on Bad Attribution ∗∗∗ --------------------------------------------- The New York Times this week published a fascinating story about a young programmer in Ukraine whod turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. Its a good read, as long as you can ignore that the premise of the piece is completely wrong. --------------------------------------------- https://krebsonsecurity.com/2017/08/blowing-the-whistle-on-bad-attribution/ ∗∗∗ Hacker übernahmen Facebook- und Twitter-Account von Playstation ∗∗∗ --------------------------------------------- Die Hackergruppe OurMine setzte mit den Social-Media-Profilen diverse Tweets und Facebook-Posts ab --------------------------------------------- http://derstandard.at/2000062906632 ===================== = Advisories = ===================== ∗∗∗ USN-3397-1: strongSwan vulnerability ∗∗∗ --------------------------------------------- A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Ubuntu 14.04 LTSSummarystrongSwan could be made to crash or hang if it received specially craftednetwork traffic. --------------------------------------------- http://www.ubuntu.com/usn/usn-3397-1/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle® Java™ Runtime Environment version 1.7 affect IBM Flex System Manager(FSM) Storage Manager Install Anywhere (SMIA) configuration tool ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025471 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect ASP.NET Core in IBM Bluemix ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007209 ∗∗∗ IBM Security Bulletin: No verification of user rights for certain applications on MaaS360 Windows installations. (CVE-2017-1422). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006985 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006808 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere DataPower XC10 Appliance ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005299 ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2017-1000381 and CVE-2017-11499 in Node.js affects IBM i ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022230 ∗∗∗ IBM Security Bulletin: January 2016 Java Platform Standard Edition Vulnerabilities in Multiple N Series Products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010526 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2017
by Daily end-of-shift report 18 Aug '17

18 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-08-2017 18:00 − Freitag 18-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Betrug: Verbraucherzentrale warnt vor gefälschten Youporn-Mahnungen ∗∗∗ --------------------------------------------- Eine Spam-Kampagne versendet derzeit angebliche Mahnungen für die Nutzung von Youporn im Namen einer Münchener Anwaltskanzlei. Diese warnt selbst vor den Fälschungen. --------------------------------------------- https://www.golem.de/news/betrug-verbraucherzentrale-warnt-vor-gefaelschten… ∗∗∗ OWASP 2017 Top 10 vs. 2013 Top 10 ∗∗∗ --------------------------------------------- After a long interval of four years, OWASP in April 2017 released a draft of its latest list of "Top 10 Web Application Security Vulnerabilities." The OWASP Top 10 has served as a benchmark for the world of application security for the last 14 years. It was designed to allow developers to identify and avoid [...] --------------------------------------------- http://resources.infosecinstitute.com/owasp-2017-top-10-vs-2013-top-10/ ∗∗∗ Hacker Publishes iOS Secure Enclave Firmware Decryption Key ∗∗∗ --------------------------------------------- A hacker identified only as xerub published the decryption key unlocking the iOS Secure Enclave Processor. --------------------------------------------- http://threatpost.com/hacker-publishes-ios-secure-enclave-firmware-decrypti… ∗∗∗ Cisco schließt einen Haufen Sicherheitslücken ∗∗∗ --------------------------------------------- Cisco hat 19 Sicherheitslücken in verschiedensten Produkten mit Sicherheitsupdates geschlossen. Drei der Updates sind mit hoher Priorität eingestuft. --------------------------------------------- https://heise.de/-3807549 ∗∗∗ Gefälschte A1-Rechnung installiert Schadsoftware ∗∗∗ --------------------------------------------- Eine gefälschte A1-Nachricht fordert Empfänger/innen dazu auf, dass sie eine Website aufrufen und sich auf dieser ihre Rechnung ansehen. Wer dem nachkommt, lädt die Datei „quittung.lnk“ herunter. Bei dieser handelt es sich um keine Kostenaufstellung, sondern um eine Verknüpfung zu einer Schadsoftware. Aus diesem Grund dürfen Sie die Verknüpfung nicht öffnen. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-a1-rec… ===================== = Advisories = ===================== ∗∗∗ Philips DoseWise Portal Vulnerabilities ∗∗∗ --------------------------------------------- This medical device advisory contains mitigation details for hard-coded credentials and cleartext storage of sensitive information vulnerabilities in Philips’ DoseWise Portal web application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-229-01 ∗∗∗ ZDI-17-693: Bitdefender Total Security bdfwfpf Kernel Driver Double Free Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Bitdefender Total Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-693/ ∗∗∗ DFN-CERT-2017-1469: ClamAV: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1469/ ∗∗∗ DFN-CERT-2017-1476: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1476/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007056 ∗∗∗ Splunk Input Validation Flaws in Web Interface Let Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2017
by Daily end-of-shift report 17 Aug '17

17 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-08-2017 18:00 − Donnerstag 17-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Banking Trojans Set Their Sights on Taxi and Ride-Hailing Apps ∗∗∗ --------------------------------------------- It was to be expected that Android banking trojan operators would eventually set their sights on ride-hailing applications, considering that these apps work with a users financial data on a daily basis. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/banking-trojans-set-their-si… ∗∗∗ Ransomware: Locky kehrt erneut zurück ∗∗∗ --------------------------------------------- Mit Locky kehrt eine bekannte Ransomware nach mehrmonatiger Abwesenheit zurück - mit den Dateiendungen Diablo6 und Lukitus. Immer wieder tauchen neue Versionen auf, die vermutlich von Kriminellen für erpresserische Zwecke gemietet werden. (Malware, Virus) --------------------------------------------- https://www.golem.de/news/ransomware-locky-kehrt-erneut-zurueck-1708-129539… ∗∗∗ NotPetya: Maersk erwartet bis zu 300 Millionen Dollar Verlust ∗∗∗ --------------------------------------------- Containerterminals standen still, Schiffe konnten weder gelöscht noch beladen werden: Mehrere Wochen hielt der Trojaner den dänischen Mega-Konzern Maersk in Atem. Die Reederei Maersk Line und der Hafenbetreiber APM Terminals wurden schwer getroffen. --------------------------------------------- https://heise.de/-3804688 ∗∗∗ Handy-Ersatzteile können Malware einschleusen ∗∗∗ --------------------------------------------- Über Ersatzteile könnten Angreifer unbemerkt Malware in Smartphones schmuggeln. Erkennungsmethoden oder gar Abwehrmaßnahmen gibt es bislang keine, warnen israelische Sicherheitsforscher. --------------------------------------------- https://heise.de/-3804758 ∗∗∗ Sicherheitsupdates: Angreifer könnten Drupal-Webseiten ein bisschen umbauen ∗∗∗ --------------------------------------------- Nutzer von Drupal sollten zügig die aktuellen Versionen installieren. In diesen haben die Entwickler mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-3805042 ∗∗∗ iMessage: Neuer Betrugsversuch macht die Runde ∗∗∗ --------------------------------------------- Aktuell erreichen Nutzer Nachrichten mit Links, die sie zur Eingabe persönlicher Daten nötigen. Sie stammen angeblich von Apple. --------------------------------------------- https://heise.de/-3804878 ===================== = Advisories = ===================== ∗∗∗ DSA-3944 mariadb-10.0 - security update ∗∗∗ --------------------------------------------- Several issues have been discovered in the MariaDB database server. Thevulnerabilities are addressed by upgrading MariaDB to the new upstreamversion 10.0.32. Please see the MariaDB 10.0 Release Notes for furtherdetails: --------------------------------------------- https://www.debian.org/security/2017/dsa-3944 ∗∗∗ Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004 ∗∗∗ --------------------------------------------- Drupal 8.3.7 is a maintenance releases which contain fixes for security vulnerabilities.Download Drupal 8.3.7Updating your existing Drupal 8 sites is strongly recommended (see instructions for Drupal 8). This release fixes security issues only; there are no new features nor non-security-related bug fixes in this release. See the 8.3.7 release notes for details on important changes and known issues affecting this release. --------------------------------------------- https://www.drupal.org/SA-CORE-2017-004 ∗∗∗ Filr 3.2.1 Update ∗∗∗ --------------------------------------------- Abstract: This update provides a number of general bug fixes for Micro Focus Filr, Search and MySQL appliances including an updated Filr 3.2.1 Desktop client. --------------------------------------------- https://download.novell.com/Download?buildid=zZ3A-xIEvO0~ ∗∗∗ VU#793496: Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/793496 ∗∗∗ Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902596 ∗∗∗ Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902606 ∗∗∗ Views - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2902604 ∗∗∗ Cisco Application Policy Infrastructure Controller SSH Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco TelePresence Video Communication Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Services Platform Deployment Configuration Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Services Framework AutoVNF Configuration Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager Horizontal Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers FTP Configuration File Modification Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS for ASR 5000 Series Routers Command-Line Interface Security Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Sensitive Log Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Configuration Parameters Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Elastic Services Controller Configuration Files Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Virtual Network Function Element Manager Arbitrary Command Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Security Appliances SNMP Polling Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco RV340, RV345, and RV345P Dual WAN Gigabit VPN Routers Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Policy Suite Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure HTML Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco AnyConnect WebLaunch Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Application Policy Infrastructure Controller Custom Binary Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities in Apache FOP and Apache Batik affect IBM WebSphere Portal (CVE-2017-5661, CVE-2017-5662) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006871 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2017
by Daily end-of-shift report 16 Aug '17

16 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 14-08-2017 18:00 − Mittwoch 16-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Millions of RDP Endpoints Exposed Online and Ready for Bad Things ∗∗∗ --------------------------------------------- An Internet-wide scan carried out by security researchers from Rapid7 has discovered over 11 million devices with 3389/TCP ports left open online, of which over 4.1 million are specifically speaking the RDP protocol. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/millions-of-rdp-endpoints-ex… ∗∗∗ Pulse Wave - New DDoS Assault Pattern Discovered ∗∗∗ --------------------------------------------- A new method of carrying out DDoS attacks named Pulse Wave is causing problems to certain DDoS mitigation solutions, allowing attackers to down servers previously thought to be secured. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/pulse-wave-new-ddos-assault-… ∗∗∗ Attackers Backdoor Another Software Update Mechanism ∗∗∗ --------------------------------------------- Researchers at Kaspersky Lab said today that the update mechanism for Korean server management software provider NetSarang was compromised and serving a backdoor called ShadowPad. --------------------------------------------- http://threatpost.com/attackers-backdoor-another-software-update-mechanism/… ∗∗∗ Analysis of a Paypal phishing kit, (Wed, Aug 16th) ∗∗∗ --------------------------------------------- They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal arenice targets and we can find new fake pages almost daily. Sometimes, the web server isnt properly configured and the source code is publicly available. A few days ago, I was lucky to find a ZIP archivecontaining a very nice phishing kit targeting Paypal. I took some time to have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/22726 ∗∗∗ Security Afterworks Spezial – DSGVO – Impulsvorträge und Diskussion ∗∗∗ --------------------------------------------- October 03, 2017 - 4:30 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-dsgvo/ ∗∗∗ Decoding Complex Malware – Step-by-Step ∗∗∗ --------------------------------------------- When cleaning websites, one of the most complicated parts of our job is ensuring we find all backdoors. Most of the time, attackers inject code into different locations to increase the chances of reinfecting the site and maintaining access for as long as possible. Our research finds that in 67% of the websites we clean, there is at least one backdoor variant. --------------------------------------------- https://blog.sucuri.net/2017/08/malware-decoding-step-step-guide.html ∗∗∗ The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard ∗∗∗ --------------------------------------------- In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times. One famous example is the Chrysler Jeep hack that researchers Charlie Miller and Chris Valasek discovered. This hack and those that have come before it have mostly been reliant on specific vulnerabilities in specific makes and/or brands of cars. And once reported, these vulnerabilities were quickly resolved. But what should the security [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/SJgibQgcZtQ/ ∗∗∗ ShadowPad: Spionage-Hintertür in Admintools für Unix- und Linux-Server aufgedeckt ∗∗∗ --------------------------------------------- Eine raffinierte Hintertür wurde von Angreifern per korrekt signiertem Update an die Netzwerk-Admin-Tools der koreanischen Firma NetSarang ausgeliefert. Es dauerte mehr als zwei Wochen, bis der Spionage-Trojaner im Netz eines Bankinstitutes aufflog. --------------------------------------------- https://heise.de/-3803225 ∗∗∗ EV ransomware is targeting WordPress sites ∗∗∗ --------------------------------------------- WordPress security outfit Wordfence has flagged several attempts by attackers to upload ransomware that provides them with the ability to encrypt a WordPress website’s files. They dubbed the malware "EV ransomware", due to the .ev extension that is added to the encrypted files. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/16/wordpress-ransomware/ ===================== = Advisories = ===================== ∗∗∗ BMC Medical and 3B Medical Luna CPAP Machine ∗∗∗ --------------------------------------------- This medical device advisory contains mitigation details for an improper input validation vulnerability in BMC Medical’s and 3B Medical’s Luna continuous positive airway pressure therapy machine. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-227-01 ∗∗∗ Identity Reporting 5.5.1 ∗∗∗ --------------------------------------------- Abstract: This service pack provides enhancements and software fixes for Identity Reporting. For more information about these updates, see the service pack details. --------------------------------------------- https://download.novell.com/Download?buildid=iGYyq6xwjhE~ ∗∗∗ Citrix XenServer Multiple Security Updates ∗∗∗ --------------------------------------------- A number of security vulnerabilities have been identified in Citrix XenServer that may allow a malicious administrator of a guest VM to compromise the host. --------------------------------------------- https://support.citrix.com/article/CTX225941 ∗∗∗ DFN-CERT-2017-1441: Xen: Mehrere Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1441/ ∗∗∗ DFN-CERT-2017-1442: Red Hat JBoss Data Virtualization: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1442/ ∗∗∗ Security Advisory - Out-of-Bounds Memory Access Vulnerability in the Boot Loaders of Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Two Vulnerabilities in Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170807-… ∗∗∗ Security Advisory - Arbitrary Memory Write Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Huawei Honor 5S Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Integer Overflow Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ Security Advisory - Lack of Signature Verification Vulnerability in Some Huawei APP ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170816-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™ in IBM Bluemix ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006722 ∗∗∗ IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting (CVE-2017-1338) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004138 ∗∗∗ IBM Security Bulletin:Security Vulnerability in IBM Java SDK for Quarterly CPU – April 2017 affect IBM Rational Software Architect and Rational Software Architect for WebSphere Software (CVE-2017-3511) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007149 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect Watson Explorer (CVE-2016-8688, CVE-2016-8689, CVE-2017-5601, CVE-2016-10209, CVE-2016-10350, CVE-2016-10349) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006995 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK Java™ Technology Edition Version 6, 7, 8 and IBM® Runtime Environment Java™ Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg21998551 ∗∗∗ IBM Security Bulletin: Potential security vulnerability in the WebSphere Application Server Admin Console (CVE-2017-1501) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006810 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager is affected by an OpenSSL vulnerability (CVE-2016-8610) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007023 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager appliances are affected by multiple Network Time Protocol (NTP) vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007067 ∗∗∗ SSA-275839 (Last Update 2017-08-16): Denial-of-Service Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… ∗∗∗ SSA-293562 (Last Update 2017-08-16): Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2017
by Daily end-of-shift report 14 Aug '17

14 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-08-2017 18:00 − Montag 14-08-2017 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forscher hacken Computer mit manipulierter DNA ∗∗∗ --------------------------------------------- Auch DNA ist nicht vor Schadsoftware sicher: Forscher der University of Washington konnten einen Computer mithilfe von manipulierter DNA übernehmen. --------------------------------------------- https://futurezone.at/digital-life/forscher-hacken-computer-mit-manipuliert… ∗∗∗ Remotelock LS-6i: Firmware-Update zerstört smarte Türschlösser dauerhaft ∗∗∗ --------------------------------------------- Ein Hersteller smarter Türschlösser hat mindestens 500 Geräte von Kunden durch ein falsches Firmwareupdate dauerhaft zerstört. Betroffen sind vor allem viele Airbnb-Vermieter, ein Austauschprogramm ist gestartet. --------------------------------------------- https://www.golem.de/news/remotelock-ls-6i-firmware-update-zerstoert-smarte… ∗∗∗ Sonic Spy: Forscher finden über 4.000 spionierende Android-Apps ∗∗∗ --------------------------------------------- Ein einziger Anbieter soll seit Jahresanfang rund 4.000 Apps mit bösartigem Inhalt in Umlauf gebracht haben - einige davon auch über Google Play. Die Apps können das Mikrofon aktivieren und Telefonate mitschneiden. --------------------------------------------- https://www.golem.de/news/sonic-spy-forscher-finden-ueber-4000-spionierende… ∗∗∗ Many Factors Conspire in ICS/SCADA Attacks ∗∗∗ --------------------------------------------- A report on the state of SCADA and ICS security points out that critical infrastructure operators are caught between hackers and a lack of vendor and executive support. --------------------------------------------- http://threatpost.com/many-factors-conspire-in-icsscada-attacks/127407/ ∗∗∗ Outlook Web Access based attacks, (Sat, Aug 12th) ∗∗∗ --------------------------------------------- Recently weve started seeing some attacks that utlise OWA. A person in the victim organisation sends an email to one or more of their customers informing them of change in account details. The attacker provides instructions to customers on paying their account utilising the new account details. The email is cced to other internal staff adding a level of legitimacy (also compromised accounts). --------------------------------------------- https://isc.sans.edu/diary/rss/22710 ∗∗∗ A new issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: Family business: Petya and its derivatives sweep over half the world as a new wave of ransomware Pay a ransom [...] --------------------------------------------- https://securityblog.switch.ch/2017/08/14/a-new-issue-of-our-switch-securit… ∗∗∗ Sicherheitsupdate: Symantecs Messaging Gateway ist für Schadcode empfänglich ∗∗∗ --------------------------------------------- Mit der aktuellen Version haben die Entwickler zwei Sicherheitslücken in der Schutzlösung geschlossen. --------------------------------------------- https://heise.de/-3799171 ∗∗∗ Datenbank-Server PostgreSQL: Lücke lässt Anmeldung ohne Passwort zu ∗∗∗ --------------------------------------------- Administratoren, die PostgreSQL-Datenbanken betreiben, sollten ihre Software updaten. Unter bestimmten Umständen können sich Angreifer an den Servern ohne Eingabe eines Passwortes anmelden, warnen die Entwickler. --------------------------------------------- https://heise.de/-3799721 ===================== = Advisories = ===================== ∗∗∗ DSA-3937 zabbix - security update ∗∗∗ --------------------------------------------- Lilith Wyatt discovered two vulnerabilities in the Zabbix networkmonitoring system which may result in execution of arbitrary code ordatabase writes by malicious proxies. --------------------------------------------- https://www.debian.org/security/2017/dsa-3937 ∗∗∗ HPESBHF03768 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- Potential security vulnerabilities have been identified in HPE Intelligent Management Center (iMC) Plat. These vulnerabilities could be exploited remotely to allow remote code execution. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf037… ∗∗∗ VMSA-2017-0014 ∗∗∗ --------------------------------------------- VMware NSX-V Edge updates address OSPF Protocol LSA DoS --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0014.html ∗∗∗ DSA-3936 postgresql-9.6 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3936 ∗∗∗ DSA-3935 postgresql-9.4 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3935 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010501 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005160 ∗∗∗ IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-9461) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010376 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a Network Security Services (NSS) vulnerability (CVE-2017-5461) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006960 Next End-of-Day Report: 2017-08-16 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2017
by Daily end-of-shift report 11 Aug '17

11 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-08-2017 18:00 − Freitag 11-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ Git und Co: Bösartige Code-Repositories können Client angreifen ∗∗∗ --------------------------------------------- Mittels spezieller SSH-URLs kann ein Angreifer Code in den Client-Tools von Quellcode-Verwaltungssystemen ausführen. Der Fehler betrifft praktisch alle verbreiteten Quellcode-Verwaltungssysteme wie Git, Subversion, Mercurial und CVS. --------------------------------------------- https://www.golem.de/news /git-und-co-boesartige-code-repositories-koennen-client-angreifen-17 08-129441.html ∗∗∗ Ukrainian Video-Blogger Arrested For Spreading Petya (NotPetya) Ransomware ∗∗∗ --------------------------------------------- Ukrainian authorities have arrested a 51-year-old man accused of distributing the infamous Petya ransomware (Petya.A, also known as NotPetya) — the same computer virus that massively hit numerous businesses, organisations and banks in Ukraine .. --------------------------------------------- https://thehackernews.com/2017/08/ukraine-petya-ransomware-hacker.html ∗∗∗ Russias Fancy Bear Hackers Used Leaked NSA Tool Eternal Blue" to Target Hotel Guests ∗∗∗ --------------------------------------------- The same hackers who hit the DNC and the Clinton campaign are now apparently spying on high-value travelers via Wi-Fi --------------------------------------------- https://www.wired.com/story/fancy-bear-hotel-hack ∗∗∗ Sichere Passwörter: Viele der herkömmlichen Sicherheitsregeln bringen nichts ∗∗∗ --------------------------------------------- Passwörter brauchen Sonderzeichen, Groß- und Kleinschreibung, Zahlen und müssen oft geändert werden – viele dieser Regeln erhöhen die Sicherheit nicht, sondern bewirken oft das Gegenteil. Der Urheber dieser Regeln bereut sie mittlerweile. --------------------------------------------- https://heise.de/-3797935 ∗∗∗ "Game of Thrones": HBO wollte Hackern 250.000 Dollar Lösegeld zahlen ∗∗∗ --------------------------------------------- Offenbar nur Hinhaltetaktik – Kriminelle: Versprechen wurden gebrochen --------------------------------------------- http://derstandard.at/2000062546236 ∗∗∗ Schüler deckt Google-Lücke auf, streicht 10.000 Dollar ein ∗∗∗ --------------------------------------------- Bug Bounty-Programm verschafft Schüler aus Uruguay unerwarteten Geldsegen --------------------------------------------- http://derstandard.at/2000062559352 ===================== = Advisories = ===================== ∗∗∗ DSA-3929 libsoup2.4 - security update ∗∗∗ --------------------------------------------- Aleksandar Nikolic of Cisco Talos discovered a stack-based bufferoverflow vulnerability in libsoup2.4, a HTTP library implementation inC. A remote attacker can take advantage of this flaw by sending aspecially crafted HTTP request to cause an application using .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3929 ∗∗∗ DSA-3934 git - security update ∗∗∗ --------------------------------------------- Joern Schneeweisz discovered that git, a distributed revision controlsystem, did not correctly handle maliciously constructed ssh://URLs. This allowed an attacker to run .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3934 ∗∗∗ SIMPlight SCADA Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-01 ∗∗∗ Solar Controls Heating Control Downloader (HCDownloader) ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-02 ∗∗∗ Solar Controls WATTConfig M Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-03 ∗∗∗ Fuji Electric Monitouch V-SFT ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-222-04 ∗∗∗ Symantec Messaging Gateway RCE and CSRF ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates /detail.jsp?fid=security_advisory&pvid=security_advisory&year=2017&s uid=20170810_00 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2017
by Daily end-of-shift report 10 Aug '17

10 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-08-2017 18:00 − Donnerstag 10-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ IT-Branche: "Sicherheitspaket" gefährdet Cybersicherheit ∗∗∗ --------------------------------------------- In einem offenen Brief warnen Vertreter der österreichischen IT-Branche vor Gefahren für die Cybersicherheit durch das von der ÖVP geplante „Sicherheitspaket“. --------------------------------------------- https://futurezone.at/netzpolitik/it-branche-sicherheitspaket-gefaehrdet-cy… ∗∗∗ Mystery Company Offers $250,000 Bounty for VM Escape Vulnerabilities ∗∗∗ --------------------------------------------- An unnamed firm is paying up to $250,000 for vulnerabilities related to its virtualization platform. --------------------------------------------- http://threatpost.com/mystery-company-offers-250000-bounty-for-vm-escape-vu… ∗∗∗ SAP Patch Tuesday Update Resolves 19 Flaws, Three High Severity ∗∗∗ --------------------------------------------- SAP released 19 patches on Tuesday, including a trio of vulnerabilities marked high severity in its business management software. --------------------------------------------- http://threatpost.com/sap-patch-tuesday-update-resolves-19-flaws-three-high… ∗∗∗ Salesforce sacks two top security engineers for their DEF CON talk ∗∗∗ --------------------------------------------- Revealing penetration-testing tool sealed staffers fate Salesforce fired two of its senior security engineers after they revealed details of an internal tool for testing IT defenses at DEF CON last month.… --------------------------------------------- www.theregister.co.uk/2017/08/10/salesforce_fires_its_senior_security_engin… ∗∗∗ Bundeskriminalamt (BK) warnt österreichische Unternehmen vor CEO-Betrug ∗∗∗ --------------------------------------------- http://www.bmi.gv.at/cms/bk/_news/start.aspx?id=534C4362372B557557664D3D&pa… ∗∗∗ The Shadow Brokers Have Made Almost $90,000 Selling Hacking Tools by Subscription, Researcher Says ∗∗∗ --------------------------------------------- An anonymous researcher has been able to identify the email address of people who have subscribed to the monthly dump service by the mysterious hacking group. --------------------------------------------- https://motherboard.vice.com/en_us/article/neejqw/the-shadow-brokers-have-m… ∗∗∗ Alleged vDOS Operators Arrested, Charged ∗∗∗ --------------------------------------------- Two young Israeli men alleged by this author to have co-founded vDOS -- until recently the largest and most profitable cyber attack-for-hire service online -- were arrested and formally indicted this week in Israel on conspiracy and hacking charges. --------------------------------------------- https://krebsonsecurity.com/2017/08/alleged-vdos-operators-arrested-charged/ ===================== = Advisories = ===================== ∗∗∗ Session Cache API - Critical - Multiple vulnerabilities - DRUPAL-SA-CONTRIB-2017-065 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2900951 ∗∗∗ Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2900966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2017
by Daily end-of-shift report 09 Aug '17

09 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-08-2017 18:00 − Mittwoch 09-08-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read ∗∗∗ --------------------------------------------- For the past couple of months I’ve been presenting my “Introduction to Windows Logical Privilege Escalation Workshop” at a few conferences. The restriction of a 2 hour slot fails to do the topic justice and some interesting tips and tricks I would like to present have to be cut out. --------------------------------------------- http://googleprojectzero.blogspot.com/2017/08/windows-exploitation-tricks-a… ∗∗∗ Engineering Firm Leaks Sensitive Data on Dell, SBC and Oracle ∗∗∗ --------------------------------------------- Power Quality Engineering publicly exposed sensitive electrical infrastructure data on the public internet tied to Dell Technologies, SBC, Freescale, Oracle, Texas Instruments and the City of Austin. --------------------------------------------- http://threatpost.com/engineering-firm-leaks-sensitive-data-on-dell-sbc-and… ∗∗∗ WTF is Mughthesec!? poking on a piece of undetected adware ∗∗∗ --------------------------------------------- Some undetected adware named "Mughthesec" is infecting Macs...lets check it out! --------------------------------------------- https://objective-see.com/blog/blog_0x20.html ∗∗∗ How are people fooled by this? Email to sign a contract provides malware instead. ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/22696 ∗∗∗ Security Afterworks – Best of Summer of Security Conferences ∗∗∗ --------------------------------------------- September 14, 2017 - 4:30 pm - 6:00 pm SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/security-afterworks-best-of-summer-of-s… ∗∗∗ Chip Off the Old EMV ∗∗∗ --------------------------------------------- Recently, Jason Knowles of ABC 7s I-Team asked us, "What is the security risk if your EMV chip falls off your credit card? What could someone do with that?" --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Chip-Off-the-Old-EMV/ ∗∗∗ Marcus Hutchins free for now as infosec world rallies around suspected banking malware dev ∗∗∗ --------------------------------------------- WannaCry ransomware killer due in court August 14 British security researcher Marcus Hutchins was released on Monday from a Nevada jail after posting bail. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/08/marcus_hutc… ∗∗∗ FBIs spyware-laden video claims another scalp: Alleged sextortionist charged ∗∗∗ --------------------------------------------- Feds NIT punches through Tor anonymity shield The FBI’s preferred tool for unmasking Tor users has brought about another arrest: a suspected sextortionist who allegedly tricked young girls into sharing nude pics of themselves and then blackmailed his victims. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/08/09/fbis_spywar… ∗∗∗ Critical Security Fixes from Adobe, Microsoft ∗∗∗ --------------------------------------------- Adobe has released updates to fix at least 67 vulnerabilities in its Acrobat, Reader and Flash Player software. Separately, Microsoft today issued patches to plug 48 security holes in Windows and other Microsoft products. If you use Windows or Adobe products, its time once again to get your patches on. More than two dozen of the vulnerabilities fixed in todays Windows patch bundle address "critical" .. --------------------------------------------- https://krebsonsecurity.com/2017/08/critical-security-fixes-from-adobe-micr… ∗∗∗ Sonderzeichen, Ziffern und Co: Erfinder bereut Passwort-Regeln ∗∗∗ --------------------------------------------- 2003 entwarf Bill Burr für US-Behörden Passwortregeln, die sich bald global durchsetzten – und heute als unsicher gelten --------------------------------------------- http://derstandard.at/2000062463061 ===================== = Advisories = ===================== ∗∗∗ OSIsoft PI Integrator ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cross-site scripting and improper authorization vulnerabilities in OSIsoft’s PI Integrator for SAP HANA 2016, PI Integrator for Business Analytics 2016 - Data Warehouse, PI Integrator for Business Analytics 2016 - Business Intelligence, PI Integrator for Business Analytics and SAP HANA SQL Utility 2016, and PI Integrator for Microsoft Azure 2016. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-220-01 ∗∗∗ Moxa SoftNVR-IA Live Viewer ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path element vulnerability in Moxa’s SoftNVR-IA Live Viewer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-220-02 ∗∗∗ FortiOS IKE VendorID version information disclosure ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-073 ∗∗∗ FortiWeb SNMPv3 user password viewable in HTML source code ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-162 ∗∗∗ Sicherheitslücken in mehreren Jenkins-Plugins ∗∗∗ --------------------------------------------- https://heise.de/-3796342 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2017
by Daily end-of-shift report 08 Aug '17

08 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 07-08-2017 18:00 − Dienstag 08-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ Hotspot Shield: VPN-Provider soll Nutzer per Javascript ausspionieren ∗∗∗ --------------------------------------------- Der VPN-Provider Hotspot soll seine Nutzer durch Javascript-Elemente und Werbung ausspionieren - obwohl er genau das Gegenteil behauptet. Das wirft eine US-Bürgerrechtsorganisation dem Unternehmen vor und hat Beschwerde bei der FTC eingereicht. --------------------------------------------- https://www.golem.de/news/hotspot-shield-vpn-provider-soll-javascript-in-ve… ∗∗∗ Google Patches 10 Critical Bugs in August Android Security Bulletin ∗∗∗ --------------------------------------------- Googles August Android Security Bulletin featured patches for nearly a dozen remote code execution bugs impacting Googles Pixel and Nexus handsets. --------------------------------------------- http://threatpost.com/google-patches-10-critical-bugs-in-august-android-sec… ∗∗∗ Microsoft to remove WoSign and StartCom certificates in Windows 10 ∗∗∗ --------------------------------------------- Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wos… ∗∗∗ How Chat App Discord Is Abused by Cybercriminals to Attack ROBLOX Players ∗∗∗ --------------------------------------------- Cybercriminals targeting gamers are nothing new. We’ve reported many similar incidents in the past, from fake game apps to real-money laundering through online game currencies. Usually the aim is simple: to steal personal information and monetize it. And .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/chat-app-discord… ∗∗∗ Practical Analysis of the Cybersecurity of European Smart Grids ∗∗∗ --------------------------------------------- This paper summarizes the experience gained during a series of practical cybersecurity assessments of various components of Europe’s smart electrical grids. --------------------------------------------- http://digitalsubstation.com/en/2017/08/07/practical-analysis-of-nbsp-the-c… ∗∗∗ Google warnt Entwickler von Chrome-Erweiterungen vor Phishing-Mails ∗∗∗ --------------------------------------------- Betrüger sind auf der Jagd nach Log-in-Daten von Entwickler-Accounts, um Chrome-Erweiterungen mit Schadcode zu verseuchen und anschließend zu verteilen, warnt Google. --------------------------------------------- https://heise.de/-3795160 ∗∗∗ Hacker erpressen HBO mit weiteren "Game of Thrones"-Folgen ∗∗∗ --------------------------------------------- Erpresser haben Skript zu Folge 5 von Staffel 7 veröffentlicht und fordern Geld, um weitere Publizierungen zu unterlassen --------------------------------------------- http://derstandard.at/2000062391623 ∗∗∗ IWF warnt: Cyber-Angriffe gefährden weltweite Finanzstabilität ∗∗∗ --------------------------------------------- Attacken von Hackern und Kriminellen immer raffinierter --------------------------------------------- http://derstandard.at/2000062403498 ===================== = Advisories = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-23), Adobe Acrobat and Reader (APSB17-24), Adobe Experience Manager (APSB17-26) and Adobe Digital Editions (APSB17-27). Adobe recommends users update their product installations to the .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1480 ∗∗∗ Vulnerability in F2FS File System Leads To Memory Corruption on Android, Linux ∗∗∗ --------------------------------------------- August’s Android Security Bulletin includes three file system vulnerabilities (CVE-2017-10663, CVE-2017-10662, and CVE-2017-0750 that were discovered by Trend Micro researchers. These vulnerabilities could cause memory corruption on the affected devices, .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/vulnerability-f2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2017
by Daily end-of-shift report 07 Aug '17

07 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-08-2017 18:00 − Montag 07-08-2017 18:00 Handler: Alexander Riepl Co-Handler: ===================== = News = ===================== ∗∗∗ You Can Trick Self-Driving Cars by Defacing Street Signs ∗∗∗ --------------------------------------------- A team of eight researchers has discovered that by altering street signs, an adversary could confuse self-driving cars and cause their machine-learning systems to misclassify signs and take .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/you-can-trick-self-driving-c… ∗∗∗ Passwortmanager: Lastpass ab sofort doppelt so teuer ∗∗∗ --------------------------------------------- Wer den Passwortmanager Lastpass nutzt, muss künftig mehr bezahlen. Nutzern der kostenfreien Version werden einige Funktionen gestrichten. Außerdem kündigt .. --------------------------------------------- https://www.golem.de/news/passwortmanager-lastpass-ab-sofort-doppelt-so-teu… ∗∗∗ Links in phishing-like emails lead to tech support scam ∗∗∗ --------------------------------------------- Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites. Anti-spam filters in Microsoft Exchange .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/08/07/links-in-phishing-like-… ∗∗∗ Increase of phpMyAdmin scans ∗∗∗ --------------------------------------------- PMA (or phpMyAdmin) is a well-known MySQL front-end written in PHP that brings MySQL to the web as stated on the web site[1]. The tool is very popularamongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common findingin many penetration tests to find an old PMA interface left byan admin. --------------------------------------------- https://isc.sans.edu/diary/rss/22688 ∗∗∗ ESET Spreading FUD About Torrent Files, Clients ∗∗∗ --------------------------------------------- An anonymous reader writes: ESET has taken fear mongering, something that some security firms continue to do, to a new level by issuing a blanket warning to users to view torrent files and clients as a threat. The warning came from the companys so-called security evangelist Ondrej Kubovic, (who used extremely patchy data to try and .. --------------------------------------------- https://it.slashdot.org/story/17/08/04/1938242/eset-spreading-fud-about-tor… ∗∗∗ Tale of the Two Payloads – TrickBot and Nitol ∗∗∗ --------------------------------------------- A couple of weeks ago, we observed the Necurs botnet distributing a new malware spam campaign with a payload combo that includes Trickbot and Nitol. Trickbot is a banking trojan .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%e2… ∗∗∗ Erpressungstrojaner Cerber soll Bitcoins klauen ∗∗∗ --------------------------------------------- Offenbar ist den Malware-Entwicklern von Cerber das Lösegeld nicht genug: Der Verschlüsselungstrojaner soll sich nun auch Bitcoin-Wallets und Passwörter unter den Nagel reißen. --------------------------------------------- https://heise.de/-3793763 ∗∗∗ FireEye dementiert Hacker-Angriff auf US-Sicherheitsfirma Mandiant ∗∗∗ --------------------------------------------- Ein unbekannter Hacker brüstete sich damit, dass er das Netzwerk von Mandiant und Computer von Mitarbeitern kompromittiert hat. FireEye erklärt nun, dass das nicht stimmt. --------------------------------------------- https://heise.de/-3794454 ∗∗∗ Hackercamp SHA2017: All Computers are broken ∗∗∗ --------------------------------------------- ACAB mag in anderen Kreisen etwas anderes bedeuten, doch für Hacker ist die Sache klar: All Computers are broken. Das wurde auf dem niederländischen Hackercamp SHA2017 deutlich. --------------------------------------------- https://heise.de/-3794575 ∗∗∗ Hintergrund: Die Geschichte von Junipers enteigneter Hintertür ∗∗∗ --------------------------------------------- In einem mehrfach ausgezeichneten Paper liefern Forscher eine Art Krypto-Krimi. Sie dokumentieren minutiös, wie der Netzwerkausrüster Juniper eine versteckte Hintertür in seine Produkte einbaute – und wie ein externer Angreifer sie später umfunktionierte. --------------------------------------------- https://heise.de/-3794610 ∗∗∗ Gefälschte GMX-Nachricht: Konto gesperrt ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte GMX-Nachricht mit dem Betreff „GMX Konto Gesperrt“. Darin behaupten sie, dass das E-Mailkonto der Empfänger/innen gelöscht werde. Kund/innen, die das verhindern wollen, sollen ihre Zugangsdaten auf einer gefälschten GMX-Website .. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-gmx-nachricht-konto-… ===================== = Advisories = ===================== ∗∗∗ DSA-3926 chromium-browser - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3926 ∗∗∗ DSA-3925 qemu - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3925 ∗∗∗ Eaton ELCSoft Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-216-01-0 ∗∗∗ WP Live Chat Support <= 7.1.04 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8880 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2017
by Daily end-of-shift report 04 Aug '17

04 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-08-2017 18:00 − Freitag 04-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Week In Review – 4th August 2017 ∗∗∗ --------------------------------------------- Creating Fake Identities Everything today seems to be linked to your identity; or perhaps more specifically, to your digital identity. While safeguarding ones identity is important, it is also equally important to find ways to stop people from creating fake identities. Kevin Mitnick belonged to an earlier generation that many of this generations up and comers may not have heard of. While today he is a respectable information security professional, he wasn’t always quite a white hat, and [...] --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/week-in-review-4th-aug… ∗∗∗ JavaScript Packages Caught Stealing Environment Variables ∗∗∗ --------------------------------------------- On August 1, npm Inc. — the company that runs the biggest JavaScript package repository — removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/javascript-packages-caught-s… ∗∗∗ Verseuchte Chrome-Erweiterung infiziert eine Million User ∗∗∗ --------------------------------------------- Die Erweiterung Web Developer wurde gekapert und durch eine Version mit Schadsoftware ausgetauscht und an User verteilt. --------------------------------------------- https://futurezone.at/digital-life/verseuchte-chrome-erweiterung-infiziert-… ∗∗∗ Verhaftung nach Black Hat: Wanna-Cry-Hacker soll Bankingtrojaner entwickelt haben ∗∗∗ --------------------------------------------- Ein britischer Sicherheitsforscher und Hacker ist in den USA verhaftet worden. Der 23-Jährige hatte unabsichtlich dazu beigetragen, die Ausbreitung von Wanna Cry zu verlangsamen. Er soll an der Entwicklung des Kronos-Bankentrojaners beteiligt gewesen sein. --------------------------------------------- https://www.golem.de/news/wanna-cry-sicherheitsforscher-malwaretech-in-den-… ∗∗∗ Weekly Security Roundup ∗∗∗ --------------------------------------------- This week, we’ve published an article about session hijacking, a dangerous hacking method that takes control of a user’s account as they are live and using it. Security articles of the week (July 31st – August 4th, 2017) The biggest story from the beginning of this week was the HBO hack that ended up with leaked [...] --------------------------------------------- https://heimdalsecurity.com/blog/weekly-security-roundup/ ∗∗∗ Cisco schließt Super-Admin-Lücke ∗∗∗ --------------------------------------------- Der Netzwerkausrüster stellt elf Sicherheitsupdates für diverse Produkte bereit. Von den Lücken soll ein mittleres bis hohes Risiko ausgehen. --------------------------------------------- https://heise.de/-3793025 ===================== = Advisories = ===================== ∗∗∗ Upcoming Security Updates for Adobe Reader and Acrobat (APSB17-24) ∗∗∗ --------------------------------------------- A prenotification Security Advisory has been posted regarding upcoming Adobe Reader and Acrobat updates scheduled for Tuesday, August 8, 2017. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1478 ∗∗∗ Schneider Electric Pro-face GP-Pro EX ∗∗∗ --------------------------------------------- This advisory contains mitigation details for an uncontrolled search path element vulnerability in Schneider Electric’s Pro-face GP-Pro EX. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-215-01 ∗∗∗ IBM Security Bulletin: A vulnerability in libtirpc affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025258 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004331 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Extreme Scale ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005297 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos TM1 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006551 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Insight ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006550 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2017
by Daily end-of-shift report 03 Aug '17

03 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-08-2017 18:00 − Donnerstag 03-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows Defender ATP machine learning: Detecting new and unusual breach activity ∗∗∗ --------------------------------------------- Microsoft has been investing heavily in next-generation security technologies. These technologies use our ability to consolidate large sets of data and build intelligent systems that learn from that data. These machine learning (ML) systems flag and surface threats that would otherwise remain unnoticed amidst the continuous hum of billions of normal events and the inability... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/08/03/windows-defender-atp-ma… ∗∗∗ Enemy at the gates: Reviewing the Magnitude exploit kit redirection chain ∗∗∗ --------------------------------------------- Over the last few months, we have been keeping an eye on the Magnitude exploit kit which is mainly used to deliver the Cerber ransomware to specific countries in Asia. Our telemetry shows that South Korea is most impacted via ongoing malvertising campaigns. When a visitor goes to a website that monetizes its traffic via adverts he may be exposed to malicious advertising. Tailored ads shown in the browser are initiated on-the-fly via a process known as Real-time Bidding (RTB). --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/08/enemy-at-the-gates-reviewi… ∗∗∗ The Retefe Saga ∗∗∗ --------------------------------------------- Surprisingly, there is a lot of media attention going on at the moment on a macOS malware called OSX/Dok. In the recent weeks, various anti-virus vendors and security researchers published blog posts on this threat, presenting their analysis and findings. While some findings where very interesting, others were misleading or simply wrong. --------------------------------------------- https://www.govcert.admin.ch/blog/33/the-retefe-saga ∗∗∗ Warnung vor Fake-Mail "Ihr Konto wurde limitiert" ∗∗∗ --------------------------------------------- [...] Diese E-Mail gibt sich als PayPal (service@ ppal.com) aus, PayPal hat mit der Betrugsmasche jedoch nichts zu tun. PayPal selbst wurde hier Opfer, indem sein Name missbräuchlich verwendet wird, um Nutzer in die Falle zu locken! --------------------------------------------- http://www.mimikama.at/allgemein/ihr-konto/ ∗∗∗ Sicherheitspatches: Varnish anfällig für DoS-Attacke ∗∗∗ --------------------------------------------- In verschiedenen Versionen von Varnish klafft eine Schwachstelle, über die Angreifer Server attackieren könnten. --------------------------------------------- https://heise.de/-3791311 ∗∗∗ Pwned Passwords: Neuer Dienst macht geknackte Passwörter auffindbar ∗∗∗ --------------------------------------------- Wurde mein Lieblings-Passwort schon einmal in einem Datenleck veröffentlicht und kann deswegen einfach für Bruteforce-Angriffe verwendet werden? Diese Frage beantwortet ein neuer Webdienst des Sicherheitsforschers Troy Hunt. --------------------------------------------- https://heise.de/-3792707 ∗∗∗ Malicious content delivered over SSL/TLS has more than doubled in six months ∗∗∗ --------------------------------------------- Threats using SSL encryption are on the rise. An average of 60 percent of the transactions in the Zscaler cloud have been delivered over SSL/TLS. Researchers also found that the Zscaler cloud saw an average of 8.4 million SSL/TLS-based security blocks per day this year. “Hackers are increasingly using SSL to conceal device infections, shroud data exfiltration and hide botnet command and control communications. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/03/malicious-content-ssl-tls/ ∗∗∗ Gefälschte Bank Austria-Nachricht: Änderungen im OnlineBanking ∗∗∗ --------------------------------------------- In einer gefälschten Bank Austria-Nachricht schreiben Kriminelle, dass es zu einer Änderung im OnlineBanking-System gekommen sei. Das führt zu Fehlern, weshalb Kund/innen ihre Zugangsdaten auf einer Website nennen sollen. Empfänger/innen der Nachricht, die dem nachkommen, übermitteln ihre Passwörter an Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-bank-austria-nachric… ===================== = Advisories = ===================== ∗∗∗ Cisco Videoscape Distribution Suite Cache Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the cache server within Cisco Videoscape Distribution Suite (VDS) for Television could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted appliance.The vulnerability is due to excessive mapped connections exhausting the allotted resources within the system. An attacker could exploit this vulnerability by sending large amounts of inbound traffic to a device with the intention of overloading certain resources. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the authentication module of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to bypass local authentication.The vulnerability is due to improper handling of authentication requests and policy assignment for externally authenticated users. An attacker could exploit this vulnerability by authenticating with a valid external user account that matches an internal username and incorrectly receiving the authorization policy ... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003928 ∗∗∗ IBM Security Bulletin: Apache Commons Collection Java Deserialization Vulnerability in Multiple N series Products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009711 ∗∗∗ IBM Security Bulletin: CVE-2015-4000 Diffie-Hellman Export Cipher Suite Vulnerabilities in Multiple N series Products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009681 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2017
by Daily end-of-shift report 02 Aug '17

02 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-08-2017 18:00 − Mittwoch 02-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Ein paar Thesen zu aktuellen Gesetzesentwürfen ∗∗∗ --------------------------------------------- Ein paar Thesen zu aktuellen Gesetzesentwürfen31. Juli 2017Das Thema "LE going dark in the age of encrytion" kocht mal wieder hoch, und noch schnell vor den Neuwahlen wurden entsprechende Gesetzesentwürfe eingebracht. Ich will hier aus technischer Sicht ein paar Argumente in die Diskussion einwerfen, .. --------------------------------------------- http://www.cert.at/services/blog/20170731130131-2076.html ∗∗∗ Auch bei Amazon: Android-Smartphones mit vorinstallierter Malware im Umlauf ∗∗∗ --------------------------------------------- Vorinstallierte Malware auf dem Smartphone dürfte für viele Nutzer ein Albtraum sein. In einem aktuellen Fall sollen günstige Smartphones des Herstellers Nomu betroffen sein. Diese sind auch in Deutschland bestellbar. --------------------------------------------- https://www.golem.de/news/auch-bei-amazon-android-smartphones-mit-vorinstal… ∗∗∗ WannaCry Inspires Banking Trojan to Add Self-Spreading Ability ∗∗∗ --------------------------------------------- Although the wave of WannaCry and Petya ransomware has now been slowed down, money-motivated hackers and cyber criminals have taken lessons from the global outbreaks to make their malware more powerful. Security researchers have now discovered at least one group of cyber criminals that are attempting to .. --------------------------------------------- https://thehackernews.com/2017/08/trickbot-banking-trojan.html ∗∗∗ Invisible Man malware runs keylogger on your Android banking apps ∗∗∗ --------------------------------------------- Top tip: Dont fetch and install dodgy Flash updates from random websites A new breed of Android malware is picking off mobile banking customers, particularly those in the UK and Germany, were told. --------------------------------------------- http://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/ ∗∗∗ Sorry, psycho bosses, its not OK to keylog your employees ∗∗∗ --------------------------------------------- In Germany, at least, youre gonna have to get your jollies some other way Installing keylogging software on your employees computers and using what you find to fire them is not OK, a German court has decided. --------------------------------------------- http://www.theregister.co.uk/2017/08/02/keylogging_software_for_employees/ ∗∗∗ Exposed IoT servers let hackers unlock prison cells, modify pacemakers ∗∗∗ --------------------------------------------- A researcher has found an often misconfigured protocol (MQTT) puts heart monitors, oil pipelines or particle accelerators at risk of attack. --------------------------------------------- http://www.zdnet.com/article/exposed-servers-hack-prison-cells-alter-pacema… ∗∗∗ Sicherheitsupdates: VMware vCenter Server und Tools angreifbar ∗∗∗ --------------------------------------------- Die Entwickler schließen mehrere Schwachstellen in ihrer Software. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-3790197 ∗∗∗ Most damaging threat vector for companies? Malicious insiders ∗∗∗ --------------------------------------------- According to a new SANS survey, 40 percent of respondents rated malicious insiders (insiders who intentionally do harm) as the most damaging threat vector their companies faced. Furthermore, nearly half (49 percent) said they were in the process of developing a formal incident response plan with provisions .. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/02/malicious-insiders-threat-vector/ ===================== = Advisories = ===================== ∗∗∗ Mitsubishi Electric Europe B.V. E-Designer ∗∗∗ --------------------------------------------- This advisory contains mitigation details for heap-based buffer overflow, stack-based buffer overflow, and out-of-bounds write vulnerabilities in the Mitsubishi Electric Europe B.V. E-Designer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-213-01 ∗∗∗ Schneider Electric Trio TView ∗∗∗ --------------------------------------------- This advisory contains mitigation details for multiple vulnerabilities for Java Runtime Environment in Schneider Electric’s Trio TView software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-213-02 ∗∗∗ Security Advisory - Multiple Buffer Overflow Vulnerabilities in Driver of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170801-… ∗∗∗ Security Advisory - DoS Vulnerability of Audio Driver in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170802-… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Bastet of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170802-… ∗∗∗ IBM Security Bulletin: Weaker than expected security in WebSphere Application Server (CVE-2017-1504) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006803 ∗∗∗ IBM Security Bulletin: Fix Available for IBM iNotes Cross-Site Scripting Vulnerability (CVE-2017-1327) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003664 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting (XSS) Attack (CVE-2017-1199) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006618 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to multiple OpenSSL vulnerabilities (CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006602 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2017
by Daily end-of-shift report 01 Aug '17

01 Aug '17

===================== = End-of-Day report = ===================== Timeframe: Montag 31-07-2017 18:00 − Dienstag 01-08-2017 18:00 Handler: Petr Sikuta Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacker bremsen Tesla Model X aus der Ferne ∗∗∗ --------------------------------------------- Chinesische Sicherheitsforscher konnten die Firmware manipulieren und zahlreiche Funktionen des Fahrzeugs kontrollieren. --------------------------------------------- https://futurezone.at/produkte/hacker-bremsen-tesla-model-x-aus-der-ferne/2… ∗∗∗ Rooting Out Hosts that Support Older Samba Versions, (Tue, Aug 1st) ∗∗∗ --------------------------------------------- Ive had a number of people ask how they can find services on their network that still support SMBv1. In an AD Domain you can generally have good control of patching and the required registry keys to disable SMBv1. However, for non-domain members thats tougher. --------------------------------------------- https://isc.sans.edu/diary/rss/22672 ∗∗∗ Windows Hacking Kurs – Durchführungsgarantie ∗∗∗ --------------------------------------------- November 30, 2017 - December 01, 2017 - All Day SBA Research Favoritenstraße 16 Vienna --------------------------------------------- https://www.sba-research.org/events/windows-hacking-kurs-durchfuhrungsgaran… ∗∗∗ CISSP Training – Durchführungsgarantie ∗∗∗ --------------------------------------------- September 11, 2017 - September 15, 2017 - All Day SBA Research Favoritenstraße 16 Vienna --------------------------------------------- https://www.sba-research.org/events/cissp-training-durchfuhrungsgarantie-6/ ∗∗∗ Incident Response Kurs – Durchführungsgarantie ∗∗∗ --------------------------------------------- September 27, 2017 - September 29, 2017 - All Day SBA Research Favoritenstraße 16 1040 Wien --------------------------------------------- https://www.sba-research.org/events/incident-response-kurs-durchfuhrungsgar… ∗∗∗ Cobalt strikes back: an evolving multinational threat to finance ∗∗∗ --------------------------------------------- Cobalt has attacked banks, financial exchanges, insurance companies, investment funds, and other financial organizations. The group is not afraid to use the names of regulatory authorities or security topics to trick recipients into opening phishing messages from illegitimate domains. Now they actively use Supply Chain Attacks to leverage the infrastructure and accounts of actual employees at one company, in order to forge convincing emails targeting a different partner organization --------------------------------------------- http://blog.ptsecurity.com/2017/08/cobalt-group-2017-cobalt-strikes-back.ht… ∗∗∗ Reddoxx: Angreifer können TÜV-geprüfte Mail-Archivierungssoftware kapern ∗∗∗ --------------------------------------------- Ein einfacher Ping-Befehl, der über ein Admin-Interface ausgelöst wird lässt sich von jedermann aus der Ferne missbrauchen, um beliebigen Code auszuführen. So können Angreifer die E-Mail-Software für rechtssichere Archivierung übernehmen. --------------------------------------------- https://heise.de/-3785041 ∗∗∗ Phisher bringen Chrome-Erweiterung Copyfish unter ihre Kontrolle ∗∗∗ --------------------------------------------- Wer die aktuelle Version von Copyfish installiert hat, wird von Werbeeinblendungen genervt. Nun hat Google die von Betrügern manipulierte Chrome-Erweiterung offline genommen. --------------------------------------------- https://heise.de/-3787978 ∗∗∗ NeoCoolCam: Chinesische IP-Kameras mit massiven Sicherheitslücken ∗∗∗ --------------------------------------------- Sicherheitsforscher haben wieder einmal gravierende Sicherheitslücken in IP-Kameras aufgedeckt. Mindestens 175.000 Geräte des Herstellers Shenzhen Neo Electronics lassen sich mit einfachen Mitteln aus dem Netz kapern. --------------------------------------------- https://heise.de/-3788061 ∗∗∗ Hackers can turn Amazon Echo into a covert listening device ∗∗∗ --------------------------------------------- New research released by MWR InfoSecurity reveals how attackers can compromise the Amazon Echo and turn it into a covert listening device, without affecting its overall functionality. Found to be susceptible to a physical attack, which allows an attacker to gain a root shell on the Linux Operating Systems and install malware, the Amazon Echo would enable hackers to covertly monitor and listen in on users and steal private data without their permission or knowledge. --------------------------------------------- https://www.helpnetsecurity.com/2017/08/01/amazon-echo-covert-listening/ ∗∗∗ Hinweis auf betrügerische Bestellung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden eine E-Mail, in der sie von einer Online-Bestellung sprechen. Sie sei von „Schwindlern begangen" worden. Empfänger/innen können Angaben zu der betrügerischen Bestellung auf einer Website herunterladen. Wenn sie das tun, installieren Nutzer/innen Schadsoftware auf ihrem Computer. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/hinweis-auf-betrue… ∗∗∗ KRITIS: Erster branchenspezifischer Sicherheitsstandard anerkannt ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Erster_bran… ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1328: Red Hat JBoss Enterprise Application Platform: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1328/ ∗∗∗ DFN-CERT-2017-1330: McAfee Security Scan Plus: Eine Schwachstelle ermöglicht die Ausführung beliebiger Programme mit Benutzerrechten ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1330/ ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to retrieval of access credentials by highly privileged users ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006068 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to a privilege escalation ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006067 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to XML External Entity Injection (XXE) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005803 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server has a network layer security vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006063 ∗∗∗ IBM Security Bulletin: Session fixation defect in IBM Security AppScan Enterprise (CVE-2016-9981) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006430 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2017
by Daily end-of-shift report 31 Jul '17

31 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-07-2017 18:00 − Montag 31-07-2017 18:00 Handler: Robert Waldner Co-Handler: ===================== = News = ===================== ∗∗∗ Ein paar Thesen zu aktuellen Gesetzentwürfen ∗∗∗ --------------------------------------------- Ein paar Thesen zu aktuellen Gesetzentwürfen31. Juli 2017Das Thema "LE going dark in the age of encrytion" kocht mal wieder hoch, und noch schnell vor den Neuwahlen wurden entsprechende Gesetzesentwürfe eingebracht. Ich will hier aus technischer Sicht ein paar Argumente in die Diskussion einwerfen, beschränke mich hier aber rein auf den Aspekt Überwachung trotz Verschlüsselung. --------------------------------------------- http://www.cert.at/services/blog/20170731130131-2076.html ∗∗∗ Reverse Engineering a JavaScript Obfuscated Dropper ∗∗∗ --------------------------------------------- 1. Introduction Nowadays one of the techniques most used to spread malware on windows systems is using a JavaScript (js) dropper. A js dropper represents, in most attack scenarios, the first stage of a malware infection. It happens because Windows systems allow the execution of various scripting language using the Windows Script Host (WScript). This […]The post Reverse Engineering a JavaScript Obfuscated Dropper appeared first on InfoSec Resources. --------------------------------------------- http://resources.infosecinstitute.com/reverse-engineering-javascript-obfusc… ∗∗∗ A new era in mobile banking Trojans ∗∗∗ --------------------------------------------- In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services. --------------------------------------------- http://securelist.com/a-new-era-in-mobile-banking-trojans/79198/ ∗∗∗ LeakerLocker Mobile Ransomware Threatens to Expose User Information ∗∗∗ --------------------------------------------- While mobile ransomware such as the recent SLocker focuses on encrypting files on the victim’s devices, a new mobile ransomware named LeakerLocker taps into its victims worst fears by allegedly threatening to send personal data on a remote server and expose its contents to everyone on their contact lists. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/tDsXJe6LJ0g/ ∗∗∗ Das Millionengeschäft mit Softwarefehlern ∗∗∗ --------------------------------------------- Softwarefehler können enormen Schaden anrichten, wie zuletzt die großangelegte Cyberattacke mit der Schadsoftware „NotPetya“ gezeigt hat. Das Aufspüren solcher Schwachstellen ist die Aufgabe von Bug-Kopfgeldjägern, die damit oft gut verdienen. Interesse an den Diensten der Hacker gibt es dabei nicht nur vonseiten der Hersteller. --------------------------------------------- http://orf.at/stories/2397792/2397793/ ∗∗∗ Container security: The seven biggest mistakes companies are making ∗∗∗ --------------------------------------------- As enterprises increase adoption of containers, they also risk increasing the number of mistakes they make with the technology. Given that many companies are still wrapping their heads around the potential of container technology and how to best leverage it, that stands to reason. With that said, however, companies must ensure that they are establishing a solid foundation for security as they continue to identify strategies and workloads that make sense on a container platform. … More --------------------------------------------- https://www.helpnetsecurity.com/2017/07/31/container-security-seven-biggest… ===================== = Advisories = ===================== ∗∗∗ CAN Bus Standard Vulnerability ∗∗∗ --------------------------------------------- NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-209-01 ∗∗∗ Security flaw shows 3G, 4G LTE networks are just as prone to stingray phone tracking ∗∗∗ --------------------------------------------- Security researchers have revealed a recently discovered vulnerability in modern, high-speed cell networks, which they say can allow low-cost phone surveillance and location tracking. --------------------------------------------- http://www.zdnet.com/article/stingray-security-flaw-cell-networks-phone-tra… ∗∗∗ Cloud-Antivirensoftware hilft beim Datenklau aus luftdichten Netzwerken ∗∗∗ --------------------------------------------- Mindestens vier Virenscanner, die verdächtige Daten zur Analyse in die Cloud hochladen, helfen beim Datenklau von ansonsten in ihrer Kommunikationsfähigkeit beschränkten PCs. Auch Virustotal ist betroffen. --------------------------------------------- https://heise.de/-3786507 ∗∗∗ Attacking industrial pumps by adjusting valves to create bubbles in the pipes. ∗∗∗ --------------------------------------------- https://twitter.com/KraftCERT/status/891929915200856064 ∗∗∗ DFN-CERT-2017-1309/">FreeRDP: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1309/ ∗∗∗ [webapps] GitHub Enterprise < 2.8.7 - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/42392/?rss ∗∗∗ IBM Security Bulletin: CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668 and CVE-2017-7679 in IBM i HTTP Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022204 ∗∗∗ IBM Security Bulletin: 10x vulnerability in IBM Control Center could allow an outside user to obtain the ID (CVE-2017-1152) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006361 ∗∗∗ IBM Security Bulletin: Non-configured connections could cause denial of service in IBM WebSphere MQ Internet Pass-Thru (CVE-2017-1118 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006580 ∗∗∗ IBM Security Bulletin: A vulnerability in Java runtime from IBM affects IBM WebSphere MQ ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005123 ∗∗∗ Fortinet FortiOS Input Validation Flaws Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039020 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2017
by Daily end-of-shift report 28 Jul '17

28 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-07-2017 18:00 − Freitag 28-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Google Study Quantifies Ransomware Profits ∗∗∗ --------------------------------------------- A ransomware study released Google revealed the malware earned criminals $25 million over the past two years. --------------------------------------------- http://threatpost.com/google-study-quantifies-ransomware-revenue/127057/ ∗∗∗ Attack Uses Docker Containers To Hide, Persist, Plant Malware ∗∗∗ --------------------------------------------- Abuse of the Docker API allows remote code execution on targeted system, which enables hackers to escalate and persists thanks to novel attacks called Host Rebinding Attack and Shadow Containers. --------------------------------------------- http://threatpost.com/attack-uses-docker-containers-to-hide-persist-plant-m… ∗∗∗ The Cloak & Dagger Attack That Bedeviled Android For Months ∗∗∗ --------------------------------------------- Not all Android attacks come from firmware mistakes. --------------------------------------------- https://www.wired.com/story/cloak-and-dagger-android-malware ∗∗∗ Hacker Says He Broke Through Samsungs Secure Smartphone Platform ∗∗∗ --------------------------------------------- When his rooting exploit worked on plenty of Android devices but failed on the Samsung Galaxy S7 Edge, researcher Di Shen decided to dig into KNOX. --------------------------------------------- https://motherboard.vice.com/en_us/article/pad5jn/hacker-says-he-broke-thro… ∗∗∗ OPC Data Access IDAPython script ∗∗∗ --------------------------------------------- An IDAPython script for IDA Pro that helps reverse engineer binaries that are using the OPC Data Access protocol. --------------------------------------------- https://github.com/eset/malware-research/blob/master/industroyer/README.adoc ∗∗∗ Internet der Dinge: Wenn die Waschstraße angreift ∗∗∗ --------------------------------------------- Sicherheitsforscher haben diverse Schwachstellen in automatisierten Autowaschstraßen gefunden, die sich sogar übers Internet missbrauchen lassen. Durch ferngesteuerte Tore, Roboterarme und Hochdruck-Wasserstrahle könnte es sogar zu Personenschäden kommen. --------------------------------------------- https://heise.de/-3785654 ∗∗∗ Microsoft opens fuzz testing service to the wider public ∗∗∗ --------------------------------------------- Microsoft Security Risk Detection, a cloud-based fuzz testing service previously known under the name Project Springfield, is now open to all and sundry. --------------------------------------------- https://www.helpnetsecurity.com/2017/07/28/microsoft-fuzz-testing-service/ ===================== = Advisories = ===================== ∗∗∗ Continental AG Infineon S-Gold 2 (PMB 8876) ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow and an improper restriction of operations within the bounds of a memory buffer vulnerability in Continental AGs Infineon S-Gold 2 (PMB 8876). --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-01 ∗∗∗ Mirion Technologies Telemetry Enabled Devices ∗∗∗ --------------------------------------------- This advisory contains mitigation details for use of hard-coded cryptographic key and inadequate encryption strength vulnerabilities in Mirion Technologies Telemetry Enabled Devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-02 ∗∗∗ PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper authentication and missing encryption of sensitive data affecting PDQ Manufacturing, Inc.s LaserWash, LaserJet, and ProTouch car washes. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-208-03 ∗∗∗ Multiple Cisco Products OSPF LSA Manipulation Vulnerability ∗∗∗ --------------------------------------------- Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated, remote attacker to take full control of the OSPF Autonomous System (AS) domain routing table, allowing the attacker to intercept or black-hole traffic.The attacker could exploit this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause the targeted router [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2017-0012 ∗∗∗ --------------------------------------------- VMware VIX API VM Direct Access Function security issue --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0012.html ∗∗∗ VMSA-2017-0013 ∗∗∗ --------------------------------------------- VMware vCenter Server and Tools updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0013.html ∗∗∗ Vuln: Cloud Foundry Cloud Controller API CVE-2017-8036 Incomplete Fix Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/100002 ∗∗∗ DFN-CERT-2017-1305: PHPMailer: Zwei Schwachstellen ermöglichen Cross-Site-Scripting-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1305/ ∗∗∗ DFN-CERT-2017-1310: Microsoft Outlook: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1310/ ∗∗∗ FortiOS XSS vulnerabilities via FortiView Application filter, FortiToken activation & SSL VPN Replacement Messages ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-104 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSource ISC Bind affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005830 ∗∗∗ IBM Security Bulletin: Fix Available for IBM iNotes Cross-site Scripting Vulnerability (CVE-2017-1332) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005233 ∗∗∗ IBM Security Bulletin: Multiple security vunerabilities in Oracle Java SE and Java SE Embedded affects IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006603 ∗∗∗ IBM Security Bulletin: IBM System Networking Switch Center is affected by a Jsch vulnerability (CVE-2016-5725) ∗∗∗ --------------------------------------------- http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to a Insecure JSF ViewState found in MDM User Interface (CVE-2016-9714) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006608 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to Insecure HTTP Method – TRACE discovered in MDM User Interface (CVE-2016-9718) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006606 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to a Cross Site Request Forgery discovered in MDM User Interface (CVE-2016-9716) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006610 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting Attack (CVE-2016-9715) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006611 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities might affect IBM® SDK for Node.js™ ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22006298 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in coreutils, sudo, jasper, bind, bash, libtirpc, nss and nss-util affect IBM SmartCloud Entry ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025538 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in qemu-kvm and libguestfs affect SmartCloud Entry (CVE-2016-9603 CVE-2017-2633 CVE-2017-7718 CVE-2017-7980 CVE-2015-8869) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025529 ∗∗∗ IBM Security Bulletin: IBM i is affected by an OSPF vulnerability (CVE-2017-1460) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022191 ∗∗∗ IBM Security Bulletin: The BigFix Platform has a vulnerability that can cause denial of service ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003222 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management is vulnerable to a X-Frame-Options Header ClickJacking attack (CVE-2016-9719 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006607 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to HTTP Parameter Override discovered in MDM User Interface (CVE-2016-9717) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006605 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cloud Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=isg3T1025397 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2017
by Daily end-of-shift report 27 Jul '17

27 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-07-2017 18:00 − Donnerstag 27-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ IoT-Geräte in Österreich: 31.000 von 280.000 unsicher ∗∗∗ --------------------------------------------- In Österreich gibt es eine beträchtlich hohe Zahl ungeschützter Router und Webcams im Internet, so eine neue Studie von Avast. Warum das ein Problem ist und was man tun kann. --------------------------------------------- https://futurezone.at/produkte/iot-geraete-in-oesterreich-31-000-von-280-00… ∗∗∗ Lipizzan: Google findet neue Staatstrojaner-Familie für Android ∗∗∗ --------------------------------------------- Erneut hat Google eine Android-Spyware einer isrealischen Firma gefunden. Die Software tarnte sich als harmlose App im Playstore, die Rooting-Funktion wird dann nachgeladen. --------------------------------------------- https://www.golem.de/news/lipizzan-google-findet-neue-staatstrojaner-famili… ∗∗∗ Announcing the Windows Bounty Program ∗∗∗ --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/07/26/announcing-the-windows-… ∗∗∗ Extending Microsoft Edge Bounty Program ∗∗∗ --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/05/16/extending-microsoft-edg… ∗∗∗ Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets ∗∗∗ --------------------------------------------- Fully remote exploits that allow for compromise of a target without any user interaction have become something of a myth in recent years. While some are occasionally still found against insecure and unpatched targets such as routers, various IoT devices or old versions of Windows, practically no remotely exploitable bugs that reliably bypass DEP and ASLR have been found on Android and iOS. In order to compromise these devices, attackers [...] --------------------------------------------- https://blog.exodusintel.com/2017/07/26/broadpwn/ ∗∗∗ DeepINTEL Schedule updated – Psychology and Power Grids ∗∗∗ --------------------------------------------- We have updated the schedule for DeepINTEL 2017. The human mind and power grids are both critical infrastructure. Both can be manipulated and switched off, arguably. And most of us use both every day. So this is why we added two more presentations to the schedule. --------------------------------------------- http://blog.deepsec.net/deepintel-schedule-updated-psychology-power-grids/ ∗∗∗ Black Hat: Strahlungsmessgeräte per Funk manipulierbar ∗∗∗ --------------------------------------------- Ein Hacker hat Sicherheitslücken in stationären und mobilen Messgeräten für radioaktive Strahlung gefunden. Kriminelle könnten so radioaktives Material durch Kontrollen schleusen oder Fehlalarme in Kernreaktoren auslösen. Updates wird es nicht geben. --------------------------------------------- https://heise.de/-3784966 ∗∗∗ Slowloris all the things ∗∗∗ --------------------------------------------- At DEFCON, some researchers are going to announce a Slowloris-type exploit for SMB -- SMBloris. I thought Id write up some comments.The original Slowloris from several years creates a ton of connections to a web server, but only sends partial headers. The server allocates a large amount of memory to handle the requests, expecting to free that memory soon when the requests are completed. But the requests are never completed, so the memory remains tied up indefinitely. --------------------------------------------- http://blog.erratasec.com/2017/07/slowloris-all-things.html ===================== = Advisories = ===================== ∗∗∗ McAfee Releases Security Bulletin for Web Gateway ∗∗∗ --------------------------------------------- Original release date: July 27, 2017 McAfee has released a security bulletin to address multiple vulnerabilities in Web Gateway. Some of these vulnerabilities could allow a remote attacker to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2017/07/27/McAfee-Releases-Se… ∗∗∗ VU#547255: Dahua IP cameras Sonia web interface is vulnerable to stack buffer overflow ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/547255 ∗∗∗ Cisco Access Control System Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Autonomic Networking Infrastructure Certificate Revocation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Autonomic Control Plane Channel Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1295: FortiNet FortiOS, FortiAnalyzer: Mehrere Schwachstellen ermöglichen u.a die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1295/ ∗∗∗ DFN-CERT-2017-1303: Foxit PDF Compressor: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1303/ ∗∗∗ HPESBHF03765 rev.1 - HPE ConvergedSystem 700 Solution with Comware v7 Switches using OpenSSL, Remote Denial of Service (DoS) and Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf037… ∗∗∗ Security Advisory - MaxAge LSA Vulnerability in OSPF Protocal of Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170720-… ∗∗∗ Security Advisory - BroadPwn Remote Code Execute Vulnerability ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170727-… ∗∗∗ IBM Security Bulletin: Weaker than expected security in IBM API Connect Developer Portal (CVE-2017-6922) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005722 ∗∗∗ IBM Security Bulletin: Weaker than expected security in IBM API Connect (CVE-2017-1386) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004981 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) – IBM Java SDK updates April 2017 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005840 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1303) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004979 ∗∗∗ [2017-07-27] Kathrein UFSconnect 916 multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… ∗∗∗ [2017-07-27] Ubiquiti Networks UniFi Cloud Key multiple critical vulnerabilities ∗∗∗ --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2017
by Daily end-of-shift report 26 Jul '17

26 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-07-2017 18:00 − Mittwoch 26-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Smart Drawing Pads Used for DDoS Attacks, IoT Fish Tank Used in Casino Hack ∗∗∗ --------------------------------------------- Some clever hackers found new ways to use the smart devices surrounding us, according to a report published last week by UK-based cyber-defense company Darktrace. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/smart-drawing-pads-used-for-… ∗∗∗ IOS Forensics ∗∗∗ --------------------------------------------- 1. INTRODUCTION Day by day, Smart phones and tablets are becoming popular, and hence technology used in development to add new features or improve the security of such devices is advancing too fast. iPhone and iPod are the game changer products launched by Apple. Apple operating system (IOS) devices started growing popular in the mobile [...] --------------------------------------------- http://resources.infosecinstitute.com/ios-forensics/ ∗∗∗ Windows SMB Zero Day to Be Disclosed During DEF CON ∗∗∗ --------------------------------------------- Microsoft has said it will not patch a two-decade-old Windows SMB vulnerability, called SMBloris because it behaves comparably to the Slowloris attacks. The flaw will be disclosed and demonstrated during DEF CON. --------------------------------------------- http://threatpost.com/windows-smb-zero-day-to-be-disclosed-during-def-con/1… ∗∗∗ WikiLeaks drops another cache of ‘Vault7’ stolen tools ∗∗∗ --------------------------------------------- Latest dump is a trove of malware from Raytheon used for surveillance and data collection --------------------------------------------- https://nakedsecurity.sophos.com/2017/07/26/wikileaks-drops-another-cache-o… ∗∗∗ Where are the holes in machine learning – and can we fix them? ∗∗∗ --------------------------------------------- Machine learning algorithms are increasingly a target for the bad guys - but the industry is working to stop them, explains Sophos chief data scientist Joshua Saxe --------------------------------------------- https://nakedsecurity.sophos.com/2017/07/26/where-are-the-holes-in-machine-… ∗∗∗ How a Citadel Trojan Developer Got Busted ∗∗∗ --------------------------------------------- A U.S. District Court judge in Atlanta last week handed a five year prison sentence to Mark Vartanyan, a Russian hacker who helped develop and sell the once infamous and widespread Citadel banking trojan. This fact has been reported by countless media outlets, but far less well known is the fascinating backstory about how Vartanyan got caught. --------------------------------------------- https://krebsonsecurity.com/2017/07/how-a-citadel-trojan-developer-got-bust… ===================== = Advisories = ===================== ∗∗∗ CRASHOVERRIDE Malware ∗∗∗ --------------------------------------------- CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-206-01 ∗∗∗ NXP i.MX Product Family ∗∗∗ --------------------------------------------- This advisory was originally posted to the NCCIC Portal on June 1, 2017, and is being released to the NCCIC/ICS-CERT web site. This advisory contains mitigation details for stack-based buffer overflow and improper certificate validation vulnerabilities in the NXP i.MX Product Family. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-152-02 ∗∗∗ Bugtraq: [SECURITY] [DSA 3919-1] openjdk-8 security update ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/540926 ∗∗∗ DFN-CERT-2017-1288: Red Hat JBoss Enterprise Web Server: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1288/ ∗∗∗ Security Advisory - Two DoS Vulnerabilities in Call Module of Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170725-… ∗∗∗ Security Advisory - Resource Exhaustion Vulnerability in Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170725-… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities fixed in Java shipped as a component of IBM Security Privileged Identity Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006547 ∗∗∗ SSA-323211 (Last Update 2017-07-25): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211… ∗∗∗ SSA-822184 (Last Update 2017-07-26): Microsoft Web Server and HP Client Automation Vulnerabilities in Molecular Imaging Products from Siemens Healthineers ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-822184… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2017
by Daily end-of-shift report 25 Jul '17

25 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Montag 24-07-2017 18:00 − Dienstag 25-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Fruit Fly 2: Mysteriöse Mac-Malware seit Jahren aktiv ∗∗∗ --------------------------------------------- Auch Mac-Nutzer sind nicht vor Schadsoftware sicher: Eine Malware soll seit mehr als fünf Jahren aktiv sein, aber nur einige hundert Nutzer befallen haben. Die Software ermöglicht einen weitgehenden Zugriff auf den Rechner und private Informationen. (Malware, Virus) --------------------------------------------- https://www.golem.de/news/fruit-fly-2-mysterioese-mac-malware-seit-jahren-a… ∗∗∗ CowerSnail, from the creators of SambaCry ∗∗∗ --------------------------------------------- We recently reported about SambaCry, a new family of Linux Trojans exploiting a vulnerability in the Samba protocol. A week later, Kaspersky Lab analysts managed to detect a malicious program for Windows that was apparently created by the same group responsible for SambaCry. --------------------------------------------- http://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/ ∗∗∗ Novel Attack Tricks Servers to Cache, Expose Personal Data ∗∗∗ --------------------------------------------- Researchers have a devised a way to trick a web server into caching pages and exposing personal data to attackers. --------------------------------------------- http://threatpost.com/novel-attack-tricks-servers-to-cache-expose-personal-… ∗∗∗ SBA Research co-organizes ROOTS 2017 ∗∗∗ --------------------------------------------- November 16, 2017 - November 17, 2017 - All Day The Imperial Riding School Vienna Ungargasse 60 Vienna --------------------------------------------- https://www.sba-research.org/events/sba-research-co-organizes-roots-2017/ ∗∗∗ Alternatives to Government-Mandated Encryption Backdoors ∗∗∗ --------------------------------------------- Policy essay: "Encryption Substitutes," by Andrew Keane Woods --------------------------------------------- https://www.schneier.com/blog/archives/2017/07/alternatives_to_1.html ∗∗∗ ShieldFS Is a Clever New Tool That Shuts Down Ransomware Before Its Too Late ∗∗∗ --------------------------------------------- By sniffing out ransomware in real-time, ShieldFS might be the cure to the internets latest security scourge. --------------------------------------------- https://www.wired.com/story/shieldfs-ransomware-protection-tool ∗∗∗ ENISA invites European utilities to join EE-ISAC Expert meeting in September ∗∗∗ --------------------------------------------- Together with the DG Energy of the European Commission, ENISA is organising a full-day expert seminar, which will be held on 7th September, 2017 in Athens. Registration is now open. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-invites-european-utilitie… ===================== = Advisories = ===================== ∗∗∗ VU#350135: Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin ∗∗∗ --------------------------------------------- Vulnerability Note VU#350135 Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin Original Release date: 07 Jun 2017 | Last revised: 24 Jul 2017 Overview WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to change the administrator password on the device. --------------------------------------------- http://www.kb.cert.org/vuls/id/350135 ∗∗∗ VU#838200: Telerik Web UI contains cryptographic weakness ∗∗∗ --------------------------------------------- Vulnerability Note VU#838200 Telerik Web UI contains cryptographic weakness Original Release date: 25 Jul 2017 | Last revised: 25 Jul 2017 Overview The Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys. --------------------------------------------- http://www.kb.cert.org/vuls/id/838200 ∗∗∗ [20170704] - Core - Installer: Lack of Ownership Verification ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Installer Severity: High Versions: 1.0.0 through 3.7.3 Exploit type: Lack of Ownership Verification Reported Date: 2017-Apr-06 Fixed Date: 2017-July-25 CVE Number: CVE-2017-11364 Description The CMS installer application lacked a process to verify the users ownership of a webspace, potentially allowing users to gain control. Please note: Already installed sites are not affected, as this issue is limited to the installer application! --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/dsijOki-S50/700-20170704-c… ∗∗∗ [20170705] - Core - XSS Vulnerability ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Severity: Low Versions: 1.5.0 through 3.7.3 Exploit type: XSS Reported Date: 2017-April-26 Fixed Date: 2017-July-25 CVE Number: CVE-2017-11612 Description Inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components. --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/uutSEqYQKbU/701-20170605-c… ∗∗∗ DFN-CERT-2017-1285: Cacti: Eine Schwachstelle ermöglicht einen Cross-Site-Scripting-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1285/ ∗∗∗ Vulnerability in Citrix NetScaler SD-WAN Enterprise & Standard Edition and Citrix CloudBridge Virtual WAN Edition Could Result in Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX225990 ∗∗∗ IBM Security Bulletin: IBM Sterling B2B Integrator has Cross Site Scripting vulnerabilities in Queue Watcher (CVE-2017-1496) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006175 ∗∗∗ IBM Security Bulletin: A vulnerability in OpenSource GNU Glibc affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005677 ∗∗∗ IBM Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2017-1370) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005868 ∗∗∗ IBM Security Bulletin: Vulnerabilities in open source zlib library affect IBM Data Server Driver Package and IBM Data Server Driver for ODBC and CLI ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002754 ∗∗∗ IBM Security Bulletin: Open Source OpenSSL Vulnerabilities affect IBM Network Advisor ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010466 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities affect IBM WebSphere Portal Rich Media Edition ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005279 ∗∗∗ [2017-07-24] Cross-Site Scripting (XSS) issue in multiple Ubiquiti Networks products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… ∗∗∗ [2017-07-24] Open Redirect issue in multiple Ubiquiti Networks products ∗∗∗ --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2017
by Daily end-of-shift report 24 Jul '17

24 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-07-2017 18:00 − Montag 24-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ New Version of DarkHotel Malware Spotted Going After Political Figures ∗∗∗ --------------------------------------------- The DarkHotel hacking group, a threat actor known to engage in advanced cyber-espionage tactics, has shifted operations from targeting CEOs and businessmen to political figures. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-version-of-darkhotel-mal… ∗∗∗ How was the #TurrisHack17 ? ∗∗∗ --------------------------------------------- Since the beginning of the Turris project, we have been very happy for the opportunity to cooperate closely with our community. Without it, the project would not have been where it is now. It was largely the interest of potential […] --------------------------------------------- http://en.blog.nic.cz/2017/07/22/how-was-the-turrishack17/ ∗∗∗ FIRST releases inaugural annual report ∗∗∗ --------------------------------------------- The Forum of Incident Response and Security Teams releases inaugural annual report, covering the scope of its activities from the 2016 conference in Seoul, through its 2017 annual event in Puerto Rico. --------------------------------------------- https://www.first.org/newsroom/releases/20170724 ∗∗∗ Hacking: Microsoft beschlagnahmt Fancy-Bear-Infrastruktur ∗∗∗ --------------------------------------------- Um gegen die Hackergruppe Fancy Bear vorzugehen, nutzt Microsoft das Markenrecht und beschlagnahmt Domains. Die kriminellen Aktivitäten der Gruppe würden "die Marke und den Ruf" des Unternehmens schädigen. Komplett stoppen lassen sich die Aktivitäten aber auch auf diesem Wege nicht. (Microsoft, Server) --------------------------------------------- https://www.golem.de/news/hacking-microsoft-beschlagnahmt-fancy-bear-infras… ∗∗∗ Uber drivers new threat: the "passenger", (Mon, Jul 24th) ∗∗∗ --------------------------------------------- This week I was told about a scam attack that surprised me due to the criminals creativity. A NYC Uber driver had his Uber account and days incomings stolen by someone who was supposed to be his next passenger. --------------------------------------------- https://isc.sans.edu/diary/rss/22626 ∗∗∗ DMARC: an imperfect solution that can make a big difference ∗∗∗ --------------------------------------------- US Senator Ron Wyden has asked the Department of Homeland Security to implement DMARC. Martijn Grooten looks at what difference this could make for phishing attacks impersonating the US federal governent. Read more --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/07/dmarc-imperfect-solution-can… ===================== = Advisories = ===================== ∗∗∗ HPESBHF03745 rev.3 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- Potential security vulnerabilities have been identified in HPE Intelligent Management Center (iMC) PLAT. The vulnerabilities could be exploited remotely to allow execution of code. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf037… ∗∗∗ rt-sa-2017-009 ∗∗∗ --------------------------------------------- Remote Command Execution as root in REDDOXX Appliance --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2017-009.txt ∗∗∗ rt-sa-2017-007 ∗∗∗ --------------------------------------------- Undocumented Administrative Service Account in REDDOXX Appliance --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2017-007.txt ∗∗∗ VU#586501: Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account ∗∗∗ --------------------------------------------- http://www.kb.cert.org/vuls/id/586501 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003790 ∗∗∗ IBM Security Bulletin: Vulnerability in Samba affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005381 ∗∗∗ Palo Alto PAN-OS Unspecified Bug in DNS Proxy Lets Remote Users Execute Arbitrary Code on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038976 ∗∗∗ Palo Alto PAN-OS Input Validation Flaw in GlobalProtect External Interface Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038975 ∗∗∗ Palo Alto PAN-OS Input Validation Flaw in Management Web Interface Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038974 ∗∗∗ Python and Jython vulnerability CVE-2013-1752 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53192206 ∗∗∗ Python and Jython vulnerability CVE-2014-7185 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K78825687 ∗∗∗ SNMP vulnerability CVE-2007-5846 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33151296 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2017
by Daily end-of-shift report 21 Jul '17

21 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-07-2017 18:00 − Freitag 21-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 14 Warning Signs that Your Computer is Malware-Infected ∗∗∗ --------------------------------------------- Malware attacks affect us all. The increasing number of Internet users worldwide creates an equal (or larger) number of opportunities for cyber criminals to take advantage of our systems. As we become more dependent on the online environment, we can clearly see a massive growth in malware and cyber criminal activities all across the globe. --------------------------------------------- https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-ma… ∗∗∗ Practical Android Phone Forensics ∗∗∗ --------------------------------------------- Introduction Today’s world is Android World. Almost 90% of devices are running on Android, and each one of us is using Android in some or the other way. There are various devices which run on Android, but Android is widely used on Smart Phones. Also, if you check the Global Smart Phone Market Share Android [...] --------------------------------------------- http://resources.infosecinstitute.com/practical-android-phone-forensics/ ∗∗∗ BKA will mächtigeren Staatstrojaner angeblich noch 2017 einsatzbereit haben ∗∗∗ --------------------------------------------- Laut einem geleakten Dokument ist man beim Bundeskriminalamt optimistisch, noch 2017 einen Staatstrojaner einsatzbereit zu haben, der deutlich mächtiger ist als sein Vorgänger. Damit sollen auch Smartphones gehackt werden, nachdem das nun erlaubt wurde. --------------------------------------------- https://heise.de/-3779770 ∗∗∗ Companies unprepared to measure incident response ∗∗∗ --------------------------------------------- Companies struggle to keep up with and respond to cyberattacks due to lack of resources, according to Demisto. For example, more than 40 percent of respondents said their organizations are not prepared to measure incident response, and only 14.5 percent of respondents are measuring MTTR (Mean Time to Respond). While organizations are hit with an average of nearly 350 incidents per week, 30 percent of respondents reported they have no playbooks, runbooks or other documentation [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/07/21/measure-incident-response/ ∗∗∗ Smartphone mit Sicherheitslücken verkauft: Klage gegen Media Markt ∗∗∗ --------------------------------------------- Deutsche Verbraucherschützer gehen gegen Händler vor, es handelt sich um einen Präzedenzfall --------------------------------------------- http://derstandard.at/2000061599440 ∗∗∗ Cyber-Angriffe auf die Wirtschaft – jedes zweite Unternehmen betroffen ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Cyber-Angri… ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1269: Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1269/ ∗∗∗ DFN-CERT-2017-1263: GitLab: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen und die Manipulation von Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1263/ ∗∗∗ DFN-CERT-2017-1270: Red Hat 3scale API Management Platform: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1270/ ∗∗∗ IBM Security Bulletin: WebSphere Application Server may have insecure file permissions (CVE-2017-1382) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004785 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in Admin Console for WebSphere Application Server (CVE-2017-1380) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004786 ∗∗∗ IBM Security Bulletin: API Connect is affected by SSH vulnerability (CVE-1999-1085) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005718 ∗∗∗ IBM Security Bulletin: Vulnerabilitiy in OpenSSL affect IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010137 ∗∗∗ IBM Security Bulletin: Cross-site Scripting vulnerabilities affect IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22006052 ∗∗∗ IBM Security Bulletin:IBM Emptoris Supplier Lifecycle Management is affected by a Cross Site Scripting vulnerability (CVE-2016-6118) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005824 ∗∗∗ IBM Security Bulletin: Reflected XSS in IBM Worklight OAuth Server Web Api ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000316 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005076 ∗∗∗ SSA-275839 (Last Update 2017-07-21): Denial-of-Service Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… ∗∗∗ SSA-293562 (Last Update 2017-07-21): Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562… ∗∗∗ SSA-731239 (Last Update 2017-07-21): Vulnerabilities in SIMATIC S7-300 and S7-400 CPUs ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-731239… ∗∗∗ libxml2 vulnerability CVE-2015-8710 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45439210 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2017
by Daily end-of-shift report 20 Jul '17

20 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-07-2017 18:00 − Donnerstag 20-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vault 7 Data Leak: Analyzing the CIA files ∗∗∗ --------------------------------------------- Digging the Vault 7 dumps In a first post on the Vault7 dump, we analyzed the information contained in files leaked by Wikileaks and allegedly originating from a network of the U.S. Central Intelligence Agency (CIA). At the time, we analyzed the following CIA projects: The Year Zero that revealed CIA hacking exploits for hardware and software. The Dark Matter dump […]The post Vault 7 Data Leak: Analyzing the CIA files appeared first on InfoSec Resources. --------------------------------------------- http://resources.infosecinstitute.com/vault-7-data-leak-analyzing-cia-files… ∗∗∗ DDoS Tools availability Online, a worrisome trend ∗∗∗ --------------------------------------------- Experts warn of an increased availability of DDoS tools online, many wannabe hackers download and use them without awareness on consequences. As cyber crime reaches new levels with new malware & viruses being realized online on a daily basis it also becomes apparent that the increase in DDoS tools that require no apparent skills to […]The post DDoS Tools availability Online, a worrisome trend appeared first on Security Affairs. --------------------------------------------- http://securityaffairs.co/wordpress/61188/hacking/ddos-tools-online.html ∗∗∗ EU Court to Rule On Right to Be Forgotten Outside Europe ∗∗∗ --------------------------------------------- The European Unions top court is set to decide whether the blocs "right to be forgotten" policy stretches beyond Europes borders, a test of how far national laws can -- or should -- stretch when regulating cyberspace. From a report: The case stems from France, where the highest administrative court on Wednesday asked the EUs Court of Justice to weigh in on a dispute between Alphabets Google and Frances privacy regulator over how broadly to apply the right (Editors note: the link could --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/RSt2wRvb9ho/eu-court-to-rul… ∗∗∗ No one still thinks iOS is invulnerable to malware, right? Well, knock it off ∗∗∗ --------------------------------------------- As platforms popularity continues to rise, so does its allure to miscreants The comforting notion that iOS devices are immune to malicious code attacks has taken a knock following the release of a new study by mobile security firm Skycure.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/ios_securit… ∗∗∗ IETF: Streit über TLS-Überwachung führt zum Eklat ∗∗∗ --------------------------------------------- Für die einen ist es passives Monitoring im Rechenzentrum. Für die anderen ist der Nachschlüssel für Netzadministratoren ein Einstieg in die Massenüberwachung und der GAU für das neue TLS-Protokoll. --------------------------------------------- https://heise.de/-3777578 ∗∗∗ Google Play Protect schützt vor Malware-Apps ∗∗∗ --------------------------------------------- Google rollt einen neuen Sicherheitsmechanismus für Android-Smartphones aus, der installierte Apps laufend überprüft. Google Play Protect funktioniert auch mit Anwendungen, die nicht aus dem Play Store stammen. --------------------------------------------- https://heise.de/-3778162 ∗∗∗ Bugfix- und Sicherheitsupdates für watchOS und tvOS ∗∗∗ --------------------------------------------- Das Apple-Watch-Betriebssystem erreicht Version 3.2.3 und das Apple-TV-4-OS Version 10.2.2. Es gibt Fehlerbehebungen und sicherheitsrelevante Fixes. --------------------------------------------- https://heise.de/-3777843 ∗∗∗ Assessing the habits and tactics of organized credit card fraud gangs ∗∗∗ --------------------------------------------- By analyzing hundreds of criminal forums, Digital Shadows discovered a new trend in the form of remote learning ‘schools’. Available to Russian speakers only, these six-week courses comprise 20 lectures with five expert instructors. The course includes webinars, detailed notes and course material. An advertisement for the WWH online course In exchange for $745 (plus $200 for course fees), aspiring cyber criminals have the potential to make $12k a month, based on a standard 40-hour --------------------------------------------- https://www.helpnetsecurity.com/2017/07/20/organized-credit-card-fraud-gang… ===================== = Advisories = ===================== ∗∗∗ Apple Sicherheitsupdates für Mac OS X und macOS Sierra ∗∗∗ --------------------------------------------- Das Betriebssystem Mac OS X ist der Standard auf Apple Laptops und Desktop-Geräten.Das von Apple entwickelte Betriebssystem macOS Sierra ist der namentliche Nachfolger von Mac OS X ab Version 10.12 für Macintosh-Systeme (Desktop und Server).Apple veröffentlicht macOS Sierra 10.12.6 und schließt damit Sicherheitslücken, durch die ein nicht angemeldeter Angreifer aus dem Internet intendierte Sicherheitsmaßnahmen umgehen, Daten auf Ihrem Rechner ausspähen oder --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_… ∗∗∗ Sicherheitsupdate auf Apple iOS 10.3.3 ∗∗∗ --------------------------------------------- iOS ist das Standardbetriebssystem auf Apple-Geräten wie iPhone, iPod touch und iPad. Es wurde auf Basis des Betriebssystems MAC OS X entwickelt.In verschiedenen von Apple iOS bis einschließlich Version 10.3.2 intern verwendeten Komponenten existieren mehrere, zum Teil schwerwiegende Sicherheitslücken. Ein Angreifer aus dem Internet kann diese insgesamt 47 Sicherheitslücken für das Ausführen beliebigen Programmcodes, auch mit erweiterten Privilegien, das --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_… ∗∗∗ Apple veröffentlicht Sicherheitsupdates für den Safari Webbrowser ∗∗∗ --------------------------------------------- Der Webbrowser Safari wurde von Apple für MAC OS X entwickelt.Apple schließt mit der neuen Safari Version für OS X Yosemite, OS X El Capitan und macOS Sierra mehrere Sicherheitslücken, durch die ein Angreifer aus dem Internet unter anderem beliebigen Programmcode auf Ihrem System ausführen, Informationen ausspähen sowie falsche Informationen darstellen kann. Insbesondere durch die Ausführung beliebigen Programmcodes kann ihr System nachhaltig geschädigt --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/warnmeldung_… ∗∗∗ Vuln: Genivia gSOAP CVE-2017-9765 Stack Based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/99868 ∗∗∗ Cisco ASR 5000 Series Aggregation Services Routers GGSN Gateway Redirect Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Administrative Interface Access Control Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Static Credentials Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Authenticated Command Injection and Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Command Injection and Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Collaboration Provisioning Tool Web Portal Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco ASR 5000 Series Aggregation Services Routers Access Control List Security Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1253: Apple iCloud: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1253/ ∗∗∗ IBM Security Bulletin: Vulnerability in IBM SDK, Java Technology Edition Quarterly CPU – Apr 2017 – Includes Oracle Apr 2017 CPU affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005616 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2017
by Daily end-of-shift report 19 Jul '17

19 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-07-2017 18:00 − Mittwoch 19-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk ∗∗∗ --------------------------------------------- Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking. The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development --------------------------------------------- https://thehackernews.com/2017/07/gsoap-iot-device-hacking.html ∗∗∗ Sicherheitslücke in allen Node.js-Versionen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke macht viele Node.js-Anwendungen anfällig für Denial-of-Service-Attacken. Die Entwickler haben korrigierte Versionen von Node.js 4, 6, 7 und 8 bereitgestellt und raten dringend zum Update. --------------------------------------------- https://heise.de/-3775843 ∗∗∗ Adware the series, the final: Tools section ∗∗∗ --------------------------------------------- The final episode of our adware series talks specifically about the tools that we use in identifying adware and the places where it lurks on a system.Categories: PUPTags: adwareFileASSASSINfrstPieter Arntzprocess explorerResource Monitorrootkitthe more you knowtoolstrojan(Read more...)The post Adware the series, the final: Tools section appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/puppum/2017/07/adware-the-series-the-final-to… ===================== = Advisories = ===================== ∗∗∗ DSA-3914 imagemagick - security update ∗∗∗ --------------------------------------------- This updates fixes several vulnerabilities in imagemagick: Variousmemory handling problems and cases of missing or incomplete inputsanitising may result in denial of service, memory disclosure or theexecution of arbitrary code if malformed RLE, SVG, PSD, PDB, DPX, MAT,TGA, VST, CIN, DIB, MPC, EPT, JNG, DJVU, JPEG, ICO, PALM or MNGfiles are processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3914 ∗∗∗ WP Statistics 12.0.9 - Authenticated Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8866 ∗∗∗ DFN-CERT-2016-1068: Apache Commons FileUpload, Apache Tomcat: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2016-1068/ ∗∗∗ DFN-CERT-2017-1240: Apache Software Foundation HTTP-Server: Eine Schwachstelle ermöglicht das Ausspähen von Informationen und einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1240/ ∗∗∗ DFN-CERT-2017-1245: Wireshark: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1245/ ∗∗∗ DFN-CERT-2017-1249: Symfony: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1249/ ∗∗∗ IBM Security Bulletin: IBM Cisco MDS Series Switches DCNM is affected by unauthenticated, remote attacker vulnerability (CVE-2017-6639, CVE-2017-6640). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010329 ∗∗∗ IBM Security Bulletin: IBM TRIRIGA Application Platform Reports Privilege Escalation (CVE-2017-1373) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004677 ∗∗∗ Oracle Critical Patch Update Advisory - July 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html ∗∗∗ Solaris Third Party Bulletin - July 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinjul2017-3814622.h… ∗∗∗ Oracle Linux Bulletin - July 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2017-3832… ∗∗∗ Oracle VM Server for x86 Bulletin - July 2017 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2017-383236… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2017
by Daily end-of-shift report 18 Jul '17

18 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Montag 17-07-2017 18:00 − Dienstag 18-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗ --------------------------------------------- Für unser "Daily Business" suchen wir derzeit 1 Berufsein- oder -umsteiger/in mit ausgeprägtem Interesse an IT-Security, welche/r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich hier: https://www.cert.at/about/jobs/jobs.html --------------------------------------------- https://www.cert.at/services/blog/20170718152748-2072.html ∗∗∗ Exploit Derived From ETERNALSYNERGY Upgraded to Target Newer Windows Versions ∗∗∗ --------------------------------------------- Thai security researcher Worawit Wang has put together an exploit based on ETERNALENERGY that can also target newer versions of the Windows operating system. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-derived-from-eternal… ∗∗∗ Economic losses from cyber attack ‘akin to natural disaster’ ∗∗∗ --------------------------------------------- Not just a disaster for your data, a major attack could cost the global economy up to $120bn, according to new study. --------------------------------------------- https://www.htbridge.com/blog/economic-losses-from-cyber-attack-akin-to-nat… ∗∗∗ Linux Users Urged to Update as a New Threat Exploits SambaCry ∗∗∗ --------------------------------------------- A seven-year old vulnerability in Samba—an open-source implementation of the SMB protocol used by Windows for file and printer sharing—was patched last May but continues to be exploited. According to a security advisory released by the company, the vulnerability allows a malicious actor to upload a shared library to a writable share, causing the server to load and execute it. If leveraged successfully, an attacker could open a command shell in a vulnerable device and take control of --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/lri-dU9kM1o/ ===================== = Advisories = ===================== ∗∗∗ Cisco WebEx Browser Extension Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco WebEx browser extensions for Google Chrome and Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.The --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Bitdefender Remote Stack Buffer Overflow via 7z PPMD ∗∗∗ --------------------------------------------- submitted by /u/landave [link] [comments] --------------------------------------------- https://www.reddit.com/r/netsec/comments/6o0gji/bitdefender_remote_stack_bu… ∗∗∗ Bitdefender Remote Stack Buffer Overflow via 7z PPMD ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/6o0gji/bitdefender_remote_stack_bu… ∗∗∗ DFN-CERT-2017-1230/">XML::LibXML: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1230/ ∗∗∗ [webapps] Barracuda Load Balancer Firmware <= 6.0.1.006 - Remote Command Injection (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/42333/?rss ∗∗∗ [webapps] Sophos Web Appliance 4.3.0.2 - trafficType Remote Command Injection (Metasploit) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/42332/?rss ∗∗∗ [remote] Belkin NetCam F7D7601 - Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/42331/?rss ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Server is affected by a user password being stored in plain text vulnerability (CVE-2017-1309) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005437 ∗∗∗ IBM Security Bulletin: BigFix Family WebUI Component Has Security Vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005246 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Sterling Connect:Direct for UNIX (CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005893 ∗∗∗ IBM Security Bulletin: Vulnerabilities in zlib affect IBM Sterling Connect:Direct for UNIX (CVE-2016-9840, CVE-2016-9841, CVE-2016-9843) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005891 ∗∗∗ IBM Security Bulletin: The BigFix Platform versions 9.1 and 9.2 have security vulnerabilities that have been addressed via patch releases ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22006014 ∗∗∗ IBM Security Bulletin: Detailed error messages in IBM Emptoris Contract Management are vulnerable to attacks (CVE-2016-6018) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005664 ∗∗∗ IBM Tivoli Enterprise Portal Server Bugs Let Remote Users Execute Arbitrary Commands and Modify SQL Queries and Let Local Users Gain Elevated Privileges ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038913 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2017
by Daily end-of-shift report 17 Jul '17

17 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-07-2017 18:00 − Montag 17-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Week in Ransomware - July 14th 2017 - NemucodAES, LeakerLocker, and More ∗∗∗ --------------------------------------------- It has been a slow week in terms of new releases, which is always a good thing. Still lots of small crapware being released that will never have much wide distribution. We also have some good news, which is the release of a NemucodAES decryptor by Emsisoft. This allows victims of this ransomware to get their files back for free. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-july-… ∗∗∗ We Tested More than 50 Free Security Tools so You can Use Them for Your Online Protection ∗∗∗ --------------------------------------------- The idea that we should create a gargantuan list of cyber security tools started to spring in our minds around the beginning of this year. We started from a simple idea: It should be useful. We need it. You need it. It will come in handy in the future, to have all those tools in […] --------------------------------------------- https://heimdalsecurity.com/blog/free-cyber-security-tools-list/ ∗∗∗ Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware ∗∗∗ --------------------------------------------- An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTubes standard features. Because Google was planning major changes to YouTubes UI, the extensions original author decided to retire it and create a new one. This is when the a mysterious company --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/StqZHG6JsVY/popular-chrome-… ∗∗∗ Petya From The Wire: Detection using IDPS ∗∗∗ --------------------------------------------- Most malware that traverses a network do so with specific indicators, some of which look like legitimate network traffic and others that are completely unique to the malware. A single IDPS signature can have high confidence of detecting an infection... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Petya-From-The-Wire--Detecti… ∗∗∗ Gandi.net: Angreifer klaut interne Login-Daten und leitet Domains auf Malware um ∗∗∗ --------------------------------------------- Ein Angreifer hat die Login-Daten des französischen Registrars Gandi.net für einen seiner technischen Provider erlangt und 751 DNS-Einträge manipuliert, damit sie auf eine schädliche Website umleiten. --------------------------------------------- https://heise.de/-3772259 ∗∗∗ DDoS-Angriffe: Hacker flooden liebsten am Wochenende und abends ∗∗∗ --------------------------------------------- In seinem aktuellen DDoS-Report katalogisiert die deutsche Sicherheitsfirma Link11 die Distributed-Denial-of-Service-Angriffe auf Unternehmen der DACH-Region. Der Bericht legt nahe, dass solche Angriffe nach wie vor viel Schaden in Unternehmen anrichten. --------------------------------------------- https://heise.de/-3773640 ∗∗∗ Jetzt patchen: FreeRADIUS stopft Sicherheitslücken ∗∗∗ --------------------------------------------- Wer den beliebten Open-Source-RADIUS-Server FreeRADIUS verwendet, sollte Updates einspielen. Über Sicherheitslücken können Angreifer aus der Ferne Schadcode zur Ausführung bringen. --------------------------------------------- https://heise.de/-3773875 ∗∗∗ Keeping up with the Petyas: Demystifying the malware family ∗∗∗ --------------------------------------------- Last June 27, there was a huge outbreak of a Petya-esque malware with WannaCry-style infector in the Ukraine. Since there is still confusion about how exactly this malware is linked to the original Petya, we have prepared this small guide on the background of the Petya family.Categories: CybercrimeMalwareTags: Anti-RansomwareEternalPetyaGoldeneye ransomwaregreen petyajanusMischa ransomwareNotPetyaPetrwrappetya originsPetya ransomwareransomwarered petya(Read more...)The post Keeping up with the --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas… ===================== = Advisories = ===================== ∗∗∗ DSA-3911 evince - security update ∗∗∗ --------------------------------------------- Felix Wilhelm discovered that the Evince document viewer made insecureuse of tar when opening tar comic book archives (CBT). Opening amalicious CBT archive could result in the execution of arbitrary code.This update disables the CBT format entirely. --------------------------------------------- https://www.debian.org/security/2017/dsa-3911 ∗∗∗ DSA-3910 knot - security update ∗∗∗ --------------------------------------------- Clément Berthaux from Synaktiv discovered a signature forgery vulnerability inknot, an authoritative-only DNS server. This vulnerability allows an attackerto bypass TSIG authentication by sending crafted DNS packets to a server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3910 ∗∗∗ DSA-3909 samba - security update ∗∗∗ --------------------------------------------- Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutualauthentication bypass vulnerability in samba, the SMB/CIFS file, print, andlogin server. Also known as Orpheus Lyre, this vulnerability is located inSamba Kerberos Key Distribution Center (KDC-REP) component and could be used byan attacker on the network path to impersonate a server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3909 ∗∗∗ WordPress Download Manager <= 2.9.49 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8856 ∗∗∗ WP-Members <= 3.1.7 - Authenticated Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8858 ∗∗∗ WordPress Download Manager <= 2.9.50 - Open Redirect ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8857 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2017
by Daily end-of-shift report 14 Jul '17

14 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-07-2017 18:00 − Freitag 14-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Hackers Are Using Automated Scans to Target Unfinished WordPress Installs ∗∗∗ --------------------------------------------- Experts from security firm Wordfence say they have observed a wave of web attacks that took aim at unfinished WordPress installations. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-using-automated-… ∗∗∗ Experts Warn Too Often AWS S3 Buckets Are Misconfigured, Leak Data ∗∗∗ --------------------------------------------- An analysis of Amazon Web Services storage containers reveals troubling trend of misconfigured S3 buckets that leak data. --------------------------------------------- http://threatpost.com/experts-warn-too-often-aws-s3-buckets-are-misconfigur… ∗∗∗ Reverse Engineering Hardware of Embedded Devices: From China to the World ∗∗∗ --------------------------------------------- This article covers some basic hardware reverse engineering techniques on PCB-level, which are applicable to any electronic embedded device to showcase how to analyze a previously unknown (to the researcher or public white-hat community) hardware device. --------------------------------------------- http://blog.sec-consult.com/2017/07/reverse-engineering-hardware.html ∗∗∗ Code Injection in Signed PHP Archives (Phar) ∗∗∗ --------------------------------------------- PHP contains an interesting but rarely used feature called Phar, which stands for PHp ARchive, that allows developers to package entire applications as a single executable file. It also boasts some additional security benefits by signing archives with a digital signature, disallowing the modification of the archives on production machines. --------------------------------------------- https://blog.sucuri.net/2017/07/code-injection-in-phar-signed-php-archives.… ∗∗∗ Peng!!! Comic HACKT Linux ∗∗∗ --------------------------------------------- Der unter Linux weit verbreitete Dokumenten-Betrachter Evince weist eine kritische Lücke auf, die sich ausnutzen lässt, um das System mit Schad-Software zu infizieren. Der Fehler lässt sich durch Comic-Books auslösen; Updates werden bereits ausgeliefert. --------------------------------------------- https://heise.de/-3771980 ∗∗∗ Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’ ∗∗∗ --------------------------------------------- A greater number of ATM skimming incidents now involve so-called "insert skimmers," wafer-thin fraud devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. New evidence suggests that at least some of these insert skimmers -- which record card data and store it on a tiny embedded flash drive are -- equipped with technology allowing it to transmit stolen card data wirelessly via infrared, the same technology built into a television remote control. --------------------------------------------- https://krebsonsecurity.com/2017/07/thieves-used-infrared-to-pull-data-from… ∗∗∗ Gefälschte Rechnung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Mit einer gefälschten Rechnung fordern Kriminelle Empfänger/innen dazu auf, einen Dateianhang zu öffnen. Er beinhalt angeblich eine "vollständige Kostenaufstellung". Diese ist in Wahrheit Schadsoftware. Rechnungsempfänger/innen dürfen sie nicht öffnen, andernfalls drohen ihnen erhebliche Nachteile. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-rechnu… ===================== = Advisories = ===================== ∗∗∗ Siemens SiPass integrated ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper authentication, improper privilege management, channel accessible by non-endpoint, and storing passwords in a recoverable format vulnerabilities in the Siemens SiPass integrated access control system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-194-01 ∗∗∗ GE Communicator ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a heap-based buffer overflow vulnerability in the GE Communicator. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-194-02 ∗∗∗ Vulnerabilities in Dasan Networks GPON ONT WiFi Router H64X Series ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070101 https://cxsecurity.com/issue/WLB-2017070102 https://cxsecurity.com/issue/WLB-2017070103 https://cxsecurity.com/issue/WLB-2017070104 ∗∗∗ DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2892404 ∗∗∗ Search 404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-053 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2888094 ∗∗∗ DFN-CERT-2017-1218: Evince: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1218/ ∗∗∗ DFN-CERT-2017-1221: GLPi: Mehrere Schwachstellen ermöglichen SQL-Injektionen und das Löschen beliebiger Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1221/ ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Flex System FC5022 16Gb SAN Scalable Switch and IBM Flex System EN4023 10Gb Scalable Switch (CVE-2016-2108) ∗∗∗ --------------------------------------------- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099625 ∗∗∗ Critical Patch Update - July 2017- Pre-Release Announcement ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html ∗∗∗ Apache mod_auth_digest Uninitialized Memory Error Lets Remote Users Obtain Potentially Sensitive Information and Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038906 ∗∗∗ EMC ViPR SRM Default Accounts Let Remote Users Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038905 ∗∗∗ Pulse Connect Secure Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038880 ∗∗∗ SSA-589378 (Last Update 2017-07-13): Vulnerabilities in Android App SIMATIC Sm@rtClient ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-589378… ∗∗∗ SSA-874235 (Last Update 2017-07-13): Intel Vulnerability in Siemens Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2017
by Daily end-of-shift report 13 Jul '17

13 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-07-2017 18:00 − Donnerstag 13-07-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Learning Pentesting with Metasploitable3: Exploiting WebDAV ∗∗∗ --------------------------------------------- Introduction: In the third part of this series, we discussed how to exploit Metasploitable3 using a vulnerability in Elasticsearch 1.1.1. As mentioned in one of the .. --------------------------------------------- http://resources.infosecinstitute.com/learning-pentesting-metasploitable3-e… ∗∗∗ Evolution of Conditional Spam Targeting Drupal Sites ∗∗∗ --------------------------------------------- Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor’s session. If your Drupal site has been compromised, .. --------------------------------------------- https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html ∗∗∗ New Ransomware Threatens to Send Your Internet History & Private Pics to All Your Friends ∗∗∗ --------------------------------------------- After WannaCry and Petya ransomware outbreaks, a scary (but rather creative) new strain of ransomware is spreading via bogus apps on the Google Play Store, this time targeting Android mobile users. Dubbed LeakerLocker, the Android .. --------------------------------------------- https://thehackernews.com/2017/07/leakerlocker-android-ransomware.html ∗∗∗ The Rodeo: Scammer bauen falschen Tor-Browser für falschen Darknet-Marktplatz ∗∗∗ --------------------------------------------- Dieser angebliche Darknet-Marktplatz entpuppt sich als wilder Ritt: Die gekauften Waren kommen nie an und die ausgegebenen Bitcoins sind futsch. --------------------------------------------- https://heise.de/-3770979 ∗∗∗ 250 Euro Spar-Gutschein zu gewinnen? ∗∗∗ --------------------------------------------- WhatsApp-Nutzer/innen erhalten die Nachricht, dass sie einen 250 Euro Gutschein von Spar gewinnen können. Dafür sollen sie drei Fragen beantworten und das Gewinnspiel über WhatsApp teilen. Dafür gibt es den Gutschein .. --------------------------------------------- https://www.watchlist-internet.at/handy-abzocke/250-euro-spar-gutschein-zu-… ===================== = Advisories = ===================== ∗∗∗ SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software ∗∗∗ --------------------------------------------- The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1212/">Apache Software Foundation Struts: Zwei Schwachstelle ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1212/ ∗∗∗ DFN-CERT-2017-1214/">McAfee Advanced Threat Defence (ATD): Mehrere Schwachstellen ermöglichen u.a. Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1214/ ∗∗∗ Die Leier des Orpheus: Samba, Microsoft und andere fixen kritische Kerberos-Lücke ∗∗∗ --------------------------------------------- Durch einen simplen Fehler bei der Nutzung von Kerberos können sich Angreifer im Netz Zugriffsrechte auf Dienste wie Dateifreigaben erschleichen. Betroffen sind sowohl Windows- als auch Linux-Server beziehungsweise deren Clients. --------------------------------------------- https://heise.de/-3770761 ∗∗∗ SAP schließt Sicherheitslücken in Point-of-Sale-Software ∗∗∗ --------------------------------------------- SAP hat zehn Sicherheitsupdates veröffentlicht. Bei zwei davon schätzt die Firma die damit verbundene Gefahr als "hoch" ein. --------------------------------------------- https://heise.de/-3770849 ∗∗∗ Juniper Junos Default Credentials in SRX Series Integrated User Firewall Lets Remote Users Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038904 ∗∗∗ Juniper Junos SNMP Processing Bug Lets Remote Users Deny Service and Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038903 ∗∗∗ Juniper Junos Configuration Error Lets Remote Users Bypass Authentication and Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038902 ∗∗∗ BIG-IP PEM vulnerability CVE-2017-6144 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K81601350 ∗∗∗ iControl REST vulnerability CVE-2017-6145 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22317030 ∗∗∗ TMM SSL/TLS profile vulnerability CVE-2017-6141 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21154730 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2017
by Daily end-of-shift report 12 Jul '17

12 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-07-2017 18:00 − Mittwoch 12-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ NTLM Relay Attacks Still Causing Problems in 2017 ∗∗∗ --------------------------------------------- Microsofts July 2017 Patch Tuesday includes a fix for an issue with the NT LAN Manager (NTLM) Authentication Protocol that can be exploited to allow attackers to create admin accounts on a local networks domain controller (DC). [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ntlm-relay-attacks-still-cau… ∗∗∗ HTTPS: Private Schlüssel auf dem Webserver ∗∗∗ --------------------------------------------- Zu einem Zertifikat für verschlüsselte HTTPS-Verbindungen gehört ein privater Schlüssel. Doch was, wenn der Schlüssel auf dem Webserver landet - und dann nicht mehr privat ist? Wir fanden zahlreiche Webseiten, die ihren privaten Schlüssel zum Herunterladen anbieten. (SSL, Technologie) --------------------------------------------- https://www.golem.de/news/https-private-schluessel-auf-dem-webserver-1707-1… ∗∗∗ Telegram-Controlled Hacking Tool Targets SQL Injection at Scale ∗∗∗ --------------------------------------------- The Katyusha Scanner can find SQL injection bugs at scale, and is managed via the Telegram messenger on any smartphone. --------------------------------------------- http://threatpost.com/telegram-controlled-hacking-tool-targets-sql-injectio… ∗∗∗ July 2017 security update release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice. More information about this month’s security updates can be found on the Security Update Guide. MSRC team --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/07/11/july-2017-security-upda… ∗∗∗ Who Controls The Internet? ∗∗∗ --------------------------------------------- The title of the paper Who controls the Internet? Analyzing global threats using property traversal graphs is enough to ensnare any Internet researcher. The control plane for a number of attacks, as the paper points out, is the DNS due to the role it plays in mapping names to resources. MX records in the DNS control [...] --------------------------------------------- http://dyn.com/blog/who-controls-the-internet/ ∗∗∗ Julys Microsoft Patch Tuesday, (Tue, Jul 11th) ∗∗∗ --------------------------------------------- TodaysMicrosoft Patch Tuesdayfixes critical and important flaws that, if exploited, could give an attacker a range of possibilities - from privilege escalation to remote code execution (RCE) - on different Windows OS and Microsoft Office versions. --------------------------------------------- https://isc.sans.edu/diary/rss/22602 ∗∗∗ Backup Scripts, the FIM of the Poor, (Wed, Jul 12th) ∗∗∗ --------------------------------------------- File Integrity Management or FIM is an interesting security control that can help to detect unusual changes in a file system. By example, on a server, they are directories that do not change often. --------------------------------------------- https://isc.sans.edu/diary/rss/22606 ∗∗∗ Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers ∗∗∗ --------------------------------------------- Customer-premises equipment (CPE)—specifically small office/home office (SOHO) routers—has become ubiquitous. CPE routers are notorious for their web interface vulnerabilities, old versions of software components with known vulnerabilities, default and hard-coded credentials, and other security issues. --------------------------------------------- http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=502613 ∗∗∗ What will it take to improve the ICS patch process? ∗∗∗ --------------------------------------------- While regular patching is indisputably good advice for IT networks, one of the main takeaways from the Petya and WannaCry attacks is that a lot of companies don’t do it. And with even more NSA exploits like EternalBlue scheduled to be released by The Shadow Brokers (TSB), it’s certainly not going to get any better. Patching IT systems is hard enough, but it’s even more difficult to patch industrial control systems (ICS), commonly found in [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/07/12/ics-patch-process/ ===================== = Advisories = ===================== ∗∗∗ Security Update for Windows Kernel (3186973) ∗∗∗ --------------------------------------------- V1.0 (September 13, 2016): Bulletin published. V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-111 ∗∗∗ [2017-07-12] Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products ∗∗∗ --------------------------------------------- The AGFEO ES 5xx/6xx SmartHome product lines are prone to multiple critical vulnerabilities. It is possible to read the whole user database by an active debug web service in order to reveal all passwords even from the administrative account. Furthermore, many debug services are active which enable an attacker to reconfigure the whole device without such administrative permissions. A hardcoded cryptographic key pair is embedded in the firmware which is used for HTTPS communication. Those keys [...] --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… ∗∗∗ Fuji Electric V-Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-02 ∗∗∗ ABB VSN300 WiFi Logger Card ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-03 ∗∗∗ OSIsoft PI Coresight ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04 ∗∗∗ Schweitzer Engineering Laboratories, Inc. SEL-3620 and SEL-3622 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-06 ∗∗∗ OSIsoft PI ProcessBook and PI ActiveView ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-05 ∗∗∗ NetIQ Privileged Account Manager 3.1 Patch Update 3 (3.1.0.3) ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=MtsbTyzebZw~ ∗∗∗ DFN-CERT-2017-1206/">FreeBSD, Heimdal: Eine Schwachstelle ermöglicht die vollständige Kompromittierung des Dienstes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1206/ ∗∗∗ Security Advisory - Directory Traversal Vulnerability in Push Module of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ Security Advisory - Escalation of Privilege Vulnerability in Intel AMT, Intel ISM and Intel SMT ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Push Module of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ IBM Security Bulletin: Daeja ViewONE arbitrary files can be accessed ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003806 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004602 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Functional Tester (CVE-2017-3511, CVE-2017-3514, CVE-2017-3539) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005085 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in zlib affects IBM Common Inventory Technology (CIT) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005841 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities addressed in the IBM Emptoris Sourcing product (CVE-2017-1447, CVE-2017-1449, CVE-2017-1450, CVE-2017-1444) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005834 ∗∗∗ IBM Security Bulletin: Vulnerability in account lockout affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8964) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21995024 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-50… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities addressed in IBM Emptoris Strategic Supply Management (CVE-2016-6019, CVE-2016-8951, CVE-2016-8952 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005839 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM WebSphere MQ (CVE-2016-3485 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22001630 ∗∗∗ JSA10806 - 2017-07 Security Bulletin: Junos OS: SRX Series: Cluster configuration synch failures occur if the root user account is locked out (CVE-2017-10604) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10806&actp=RSS ∗∗∗ JSA10775 - 2017-07 Security Bulletin: OpenSSL Security Advisory [26 Jan 2017] ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10775&actp=RSS ∗∗∗ JSA10779 - 2017-07 Security Bulletin: Junos: RPD crash due to malformed BGP OPEN message (CVE-2017-2314) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10779&actp=RSS ∗∗∗ JSA10782 - 2017-07 Security Bulletin: ScreenOS: Multiple XSS vulnerabilities in ScreenOS Firewall ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10782&actp=RSS ∗∗∗ JSA10787 - 2017-07 Security Bulletin: Junos: VM to host privilege escalation in platforms with Junos OS running in a virtualized environment. (CVE-2017-2341) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10787&actp=RSS ∗∗∗ JSA10789 - 2017-07 Security Bulletin: Junos: SRX Series denial of service vulnerability in flowd due to crafted DHCP packet (CVE-2017-10605) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10789&actp=RSS ∗∗∗ JSA10790 - 2017-07 Security Bulletin: SRX Series: MACsec failure to report errors (CVE-2017-2342) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10790&actp=RSS ∗∗∗ JSA10791 - 2017-07 Security Bulletin: SRX Series: Hardcoded credentials in Integrated UserFW feature. (CVE-2017-2343) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10791&actp=RSS ∗∗∗ JSA10792 - 2017-07 Security Bulletin: Junos: Buffer overflow in sockets library (CVE-2017-2344) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10792&actp=RSS ∗∗∗ JSA10793 - 2017-07 Security Bulletin: Junos: snmpd denial of service upon receipt of crafted SNMP packet (CVE-2017-2345) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10793&actp=RSS ∗∗∗ JSA10794 - 2017-07 Security Bulletin: MS-MPC or MS-MIC crash when passing large fragmented traffic through an ALG (CVE-2017-2346) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10794&actp=RSS ∗∗∗ JSA10797 - 2017-07 Security Bulletin: Junos OS: Incorrect argument handling in sendmsg() affects Junos OS (CVE-2016-1887) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10797&actp=RSS ∗∗∗ HPE Performance Center Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038868 ∗∗∗ HPE LoadRunner Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038867 ∗∗∗ Linux kernel vulnerability CVE-2017-1000365 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15412203 ∗∗∗ Linux kernel vulnerability CVE-2016-8399 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23030550 ∗∗∗ IPv6 fragmentation vulnerability CVE-2016-10142 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K57211290 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2017
by Daily end-of-shift report 11 Jul '17

11 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Montag 10-07-2017 18:00 − Dienstag 11-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Security Bulletins posted for Adobe Flash Player and Adobe Connect ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-21) and Adobe Connect (APSB17-22). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided “AS IS” with no [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1474 ∗∗∗ Exploiting Windows Authentication Protocols: Introduction ∗∗∗ --------------------------------------------- SMB relay attack Exploiting the weak Windows authentication protocols is on the top of the list for any adversary, because it mostly relies on a design flaw in the protocol itself, moreover, it is easy and could allow the adversary to get access to remote systems with almost no alert from most systems such as [...] --------------------------------------------- http://resources.infosecinstitute.com/exploiting-windows-authentication-pro… ∗∗∗ A Computational Complexity Attack against Racoon and ISAKMP Fragmentation ∗∗∗ --------------------------------------------- Trustwave recently reported a remotely exploitable computational complexity vulnerability in the racoon isakmp daemon that is part of the ipsec-tools open-source project (http://ipsec-tools.sourceforge.net/). The vulnerability is present in the handling of fragmented packets. A computational complexity attack seeks to cause [...] --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/A-Computational-Complexity-A… ∗∗∗ Verschlüsselung knackbar: Hoffnung für (manche) NotPetya-Opfer ∗∗∗ --------------------------------------------- Die Entwickler des Verschlüsselungstrojaners NotPetya haben entscheidende Fehler bei der Umsetzung ihrer Verschlüsselung gemacht. Unter bestimmten Umständen lässt sich diese knacken. Automatische Tools wird es aber wohl erst einmal nicht geben. --------------------------------------------- https://heise.de/-3768889 ∗∗∗ SambaCry bedroht HPE-NonStop-Server ∗∗∗ --------------------------------------------- Das NonStopOS von Hewlett Packards NonStop-Serversystemen ist anfällig für Angriffe über die SambaCry-Lücke. Die Firma empfiehlt, entsprechende Workarounds umzusetzen, bis Patches bereit stehen. --------------------------------------------- https://heise.de/-3769117 ∗∗∗ Learning PowerShell: The basics ∗∗∗ --------------------------------------------- Get acquainted with some of the basic principles of Powershell and get prepared for some basic usage of this versatile tool that is available on all modern Windows systems. --------------------------------------------- https://blog.malwarebytes.com/101/how-tos/2017/07/learning-powershell-the-b… ∗∗∗ SAP Security Patch Day – July 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/ ===================== = Advisories = ===================== ∗∗∗ Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070080 ∗∗∗ Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070076 ∗∗∗ DFN-CERT-2017-1193: Sophos UTM: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1193/ ∗∗∗ HPESBNS03755 rev.1 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004729 ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance invalid requests cause denial of service to SDR and CLUSSDR channels (CVE-2017-1285) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22003856 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Cast Iron ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005610 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Emptoris Spend Analysis product (CVE-2017-1445, CVE-2017-1446) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005787 ∗∗∗ IBM Security Bulletin:Multiple vulnerabilities in the IBM Emptoris Services Procurement product ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005550 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM Emptoris Sourcing product ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005549 ∗∗∗ IBM Security Bulletin: Apache PDFBox affects IBM Emptoris Contract Management (CVE-2016-2175) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005591 ∗∗∗ SQL Injection in extension "Content Rating Extbase" (content_rating_extbase) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/sql-injection-in-extension-content-rating-ex… ∗∗∗ Remote Code Execution in extension "PHPMailer" (bb_phpmailer) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-phpmailer… ∗∗∗ Remote Code Execution in extension "AH Sendmail" (ah_sendmail) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-ah-sendma… ∗∗∗ Remote Code Execution in extension "Maag Sendmail" (maag_sendmail) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-maag-send… ∗∗∗ SQL Injection in extension "Faceted Search" (ke_search) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/sql-injection-in-extension-faceted-search-ke… ∗∗∗ Linux kernel vulnerability CVE-2017-1000364 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51931024 ∗∗∗ Linux kernel vulnerability CVE-2017-1000366 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20486351 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2017
by Daily end-of-shift report 10 Jul '17

10 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-07-2017 18:00 − Montag 10-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ A VBScript with Obfuscated Base64 Data, (Sat, Jul 8th) ∗∗∗ --------------------------------------------- A few months ago, I posted a diary to explain how to search for (malicious) PE files in Base64 data[1]. Base64 is indeed a common way to distribute binary content in an ASCII form. There are plenty of scripts based on this technique. On my Macbook, Im using width:800px [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22590 ∗∗∗ Adversary hunting with SOF-ELK, (Sun, Jul 9th) ∗∗∗ --------------------------------------------- As we recently celebrated Independence Day in the U.S., Im reminded that we honor what was, of course, an armed conflict. Todays realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray. We live in a world of asymmetrical battles, often conflicts that arent always obvious in purpose and intent, and likely fought on multiple fronts. For one of the best reads on the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22592 ∗∗∗ 94 .ch & .li domain names hijacked and used for drive-by ∗∗∗ --------------------------------------------- A Swiss domain holder called us today telling us that the .ch zone points to the wrong name servers for his domain. The NS entries were ns1.dnshost[.]ga and ns2.dnshost[.]ga. We contacted the registrar and soon realized that this is not the [...] --------------------------------------------- https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-an… ∗∗∗ BSI warnt Unternehmen gezielt vor akutem Risiko durch CEO Fraud ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/CEO_Fraud_1… ∗∗∗ Attack on Critical Infrastructure Leverages Template Injection ∗∗∗ --------------------------------------------- Contributors: Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall Executive SummaryAttackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro [...] --------------------------------------------- http://blog.talosintelligence.com/2017/07/template-injection.html ===================== = Advisories = ===================== ∗∗∗ Microsoft .NET Privilege Escalation ∗∗∗ --------------------------------------------- Topic: Microsoft .NET Privilege Escalation Risk: Medium Text:Hi @ll, all versions of .NET Framework support to load a COM object as code profiler, enabled via two or three environment ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070067 ∗∗∗ DSA-3905 xorg-server - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3905 ∗∗∗ Petya Malware Variant (Update C) ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C ∗∗∗ iManager 3.0.3 Patch 2 (3.0.3.2) ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=KhPP8lJyDik~ ∗∗∗ DFN-CERT-2017-1188: SQLite: Eine Schwachstelle ermöglicht u.a. das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1188/ ∗∗∗ DFN-CERT-2017-1187: Apache Software Foundation Struts: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1187/ ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server for Bluemix April 2017 CPU ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004278 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Performance Tester. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004418 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Service Tester. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004419 ∗∗∗ EMC Data Protection Advisor Input Validation Flaws Let Remote Authenticated Users Obtain Potentially Sensitive Information and Inject SQL Commands ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038841 ∗∗∗ EMC Secure Remote Services (ESRS) Policy Manager Undocumented Account With Default Password Lets Remote Users Access the Target System ∗∗∗ --------------------------------------------- -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2017
by Daily end-of-shift report 07 Jul '17

07 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-07-2017 18:00 − Freitag 07-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ CIA Malware Can Steal SSH Credentials, Session Traffic ∗∗∗ --------------------------------------------- WikiLeaks dumped today the documentation of two CIA hacking tools codenamed BothanSpy and Gyrfalcon, both designed to steal SSH credentials from Windows and Linux systems, respectively. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security /cia-malware-can-steal-ssh-credentials-session-traffic/ ∗∗∗ ZIP Bombs Can Protect Websites From Getting Hacked ∗∗∗ --------------------------------------------- Webmasters can use so-called ZIP bombs to crash a hackers vulnerability and port scanner and prevent him from gaining access to their website. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security /zip-bombs-can-protect-websites-from-getting-hacked/ ∗∗∗ IT und Energiewende: Stromnetzbetreiber fordern das ganz große Lastmanagement ∗∗∗ --------------------------------------------- Silizium statt Kupfer und Stahl: Die Energiewende und die Elektromobilität erfordern einen Ausbau des Stromnetzes. Doch die Netzbetreiber setzen lieber auf Digitalisierung und "Flexibilisierung". Stromlieferanten wollen sich gegen die Bevormundung wehren. (Smart Grid, GreenIT) --------------------------------------------- https://www.golem.de/news /it-und-energiewende-stromnetzbetreiber-fordern-das-ganz-grosse-last management-1707-128779-rss.html ∗∗∗ Decryption Key to Original Petya Ransomware Released ∗∗∗ --------------------------------------------- The key to decrypt the original Petya ransomware has been reportedly released by the ransomware’s author. --------------------------------------------- http://threatpost.com /decryption-key-to-original-petya-ransomware-released/126705/ ∗∗∗ Someones phishing US nuke power stations. So far, no kaboom ∗∗∗ --------------------------------------------- Stuxnet, this aint Dont panic, but attackers are trying to phish their way into machines in various US power facilities, including nuclear power station operators. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/071/07 /someones_phishing_us_nuke_power_stations_so_far_no_kaboom/ ∗∗∗ Lets not help attackers by spreading fear, uncertainty and doubt ∗∗∗ --------------------------------------------- Spreading FUD in the wake of cyber-attacks is never a good idea. But its even worse when this might be one of the attackers implicit goals. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/07 /lets-not-help-attackers-spreading-fear-uncertainty-and-doubt/ ∗∗∗ Hacker-Sammlung gefunden: 500 Mio. E-Mail-Adressen und Passwörter betroffen ∗∗∗ --------------------------------------------- Das Bundeskriminalamt hat in einer Underground-Economy-Plattform im Internet eine Sammlung von ca. 500.000.000 ausgespähten Zugangsdaten gefunden. Die Daten bestehen aus Email-Adressen mit dazugehörigen Passwörtern. Vermutlich stammen die Daten von verschiedenen Hacking-Angriffen und wurden über einen längeren Zeitraum zusammengetragen. Die aktuellsten ausgespähten Zugangsdaten sind wahrscheinlich aus Dezember 2016. --------------------------------------------- https://www.bka.de/SharedDocs/Kurzmeldungen/DE/Kurzmeldungen /170705_HackerSammlung.html ∗∗∗ Abgesicherte PHP-Versionen erschienen ∗∗∗ --------------------------------------------- Trotz der Möglichkeit von Angreifern Schadcode ausführen zu können, gilt der Bedrohungsgrad nicht als kritisch. --------------------------------------------- https://heise.de/-3766935 ∗∗∗ Android-Mega-Patch: Google schließt haufenweise kritische Lücken ∗∗∗ --------------------------------------------- Unter anderem werden Lücken in WLAN-Chipsets von Broadcom geschlossen, die Angreifern das Ausführen von Code mittels manipulierter Wifi-Pakete erlauben. Auch für Android 4.4 (KitKat) sind Patches dabei. --------------------------------------------- https://heise.de/-3767103 ∗∗∗ New Ransomware Variant "Nyetya" Compromises Systems Worldwide ∗∗∗ --------------------------------------------- Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.Update 2017-07-06 12:30 EDT: Updated to explain the modified DoublePulsar backdoor.Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of malware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in [...] --------------------------------------------- http://blog.talosintelligence.com/2017/06 /worldwide-ransomware-variant.html ===================== = Advisories = ===================== ∗∗∗ Schneider Electric Wonderware ArchestrA Logger ∗∗∗ --------------------------------------------- This advisory contains mitigation details for stack-based buffer overflow, uncontrolled resource consumption, and null pointer deference vulnerabilities in Schneider Electric’s Wonderware ArchestrA Logger. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-187-04 ∗∗∗ Schneider Electric Ampla MES ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cleartext transmission of sensitive information and inadequate encryption strength vulnerabilities in Schneider Electric’s Ampla MES. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Credential Disclosure ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070056 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Support Tunnel Hijack ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070060 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Username / Session ID Leak ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070059 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Early Boot Root Shell ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070058 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Grub Password Complexity ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070057 ∗∗∗ Bugtraq: KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/540812 ∗∗∗ Bugtraq: [SYSS-2017-011] Office 365: Insufficient Session Expiration (CWE-613) ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/540814 ∗∗∗ iManager 2.7 Support Pack 7 - Patch 10 Hotfix 2 ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=WeEb4PchpTU~ ∗∗∗ eDirectory 8.8 SP8 Patch 10 ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=VYtYu65T21Y~ ∗∗∗ IBM Security Bulletin: IBM MQ Java/JMS application can incorrectly flow password in plain text. (CVE-2017-1337) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003853 ∗∗∗ IBM Security Bulletin: IBM MQ Passwords specified by MQ java or JMS applications can appear in WebSphere Application Server trace. (CVE-2017-1284) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003851 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server and Tivoli Netcool Performance Manager October 2016 and January 2017 CPU (multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005615 ∗∗∗ IBM Security Bulletin: Vulnerabilities in tcpdump affect AIX ∗∗∗ --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc ∗∗∗ PHP Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038837 ∗∗∗ systemd vulnerability CVE-2017-9445 ∗∗∗ ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 6-07-2017
by Daily end-of-shift report 06 Jul '17

06 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-07-2017 18:00 − Donnerstag 06-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Decryptor Released for the Mole02 CryptoMix Ransomware Variant *** --------------------------------------------- It is always great to be able to announce a free decryptor for victims who have had their files encrypted by a ransomware. This is the case today, where a decryptor for the Mole02 cryptomix variant was released. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-m… *** Evolution of Conditional Spam Targeting Drupal Sites *** --------------------------------------------- Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor's session. It's quite common for attackers to evolve their techniques and add new variations of hidden backdoors to make it harder to get rid of the infection. These evasion and reinfection techniques can also make it difficult to modify the malicious code, which is what has exactly happened in this case, [...] --------------------------------------------- https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html *** New BTCWare Ransomware Decrypter Released for the Master Variant *** --------------------------------------------- Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-btcware-ransomware-decry… *** Sicherheitsupdates: Cisco kämpft gegen statische und unverschlüsselte Zugangsdaten *** --------------------------------------------- Der Netzwerkausrüster stopft zum Teil kritische Sicherheitslücken in seinem Elastic Services Controller und seinem Ultra Services Framework. --------------------------------------------- https://heise.de/-3765238 *** M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013 *** --------------------------------------------- Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoo… *** The MeDoc Connection *** --------------------------------------------- The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was [...] --------------------------------------------- http://blog.talosintelligence.com/2017/07/the-medoc-connection.html *** Fritzbox-Lücke erlaubt delikate Einblicke ins lokale Netz *** --------------------------------------------- Durch ein Informationsleck können Webseiten offenbar viele Details über das Heimnetz eines Fritzbox-Nutzers erfahren. Zu den abfischbaren Daten zählen die Netzwerknamen aller Clients, IP- und Mac-Adresssen und die eindeutige ID der Fritzbox. --------------------------------------------- https://heise.de/-3764885 *** FIRST announces release of Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure *** --------------------------------------------- The Forum of Incident Response and Security Teams announces the release of a set of guidelines and norms for vulnerability disclosure that affects multiple parties. --------------------------------------------- https://www.first.org/newsroom/releases/20170706 *** APWG Global Phishing Survey 2016: Trends and Domain Name Use *** --------------------------------------------- This report comprehensively examines a large data set of more than 250,000 phishing attacks detected in 2015 and 2016. By quantifying this cybercrime activity and understanding the patterns that lurk therein, we have learned more about what phishers have been doing, and how they have accomplished their schemes. --------------------------------------------- https://apwg.org/resources/apwg-reports/domain-use-and-trends https://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf *** Gefälschte Anwaltsschreiben verbreiten Schadsoftware *** --------------------------------------------- In gefälschten Anwaltsschreiben behaupten Kriminelle, dass Adressat/innen Schulden bei einem Unternehmen haben. Weiterführende Informationen zu der offenen Geldforderung sollen sich im Dateianhang der Nachricht finden. In Wahrheit verbirgt er Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-anwalt… *** BadGPO - Using Group Policy Objects for Persistence and Lateral Movement *** --------------------------------------------- [...] Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. --------------------------------------------- http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_052_Willi_… *** ZDI-17-452: (0Day) Advantech WebOP Designer Project File Heap Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebOP Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-452/ *** Android Security Bulletin July 2017 *** --------------------------------------------- https://source.android.com/security/bulletin/2017-07-01.html *** BlackBerry powered by Android Security Bulletin July 2017 *** --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… *** Petya Malware Variant (Update B) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01A Petya Ransomware Variant that was published July 3, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk [...] --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B *** rsyslog: remote syslog PRI vulnerability CVE-2014-3634 *** --------------------------------------------- rsyslog: remote syslog PRI vulnerability CVE-2014-3634. Security Advisory. Security Advisory Description. rsyslog before ... --------------------------------------------- https://support.f5.com/csp/article/K42903299 *** DFN-CERT-2017-1171: LibTIFF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1171/ *** Security Advisories for Drupal Third-Party Modules *** --------------------------------------------- *** SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055 *** https://www.drupal.org/node/2890357 --------------------------------------------- *** DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 *** https://www.drupal.org/node/2892404 --------------------------------------------- *** OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056 *** https://www.drupal.org/node/2892400 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A Security vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms (CVE-2017-1289). *** http://www.ibm.com/support/docview.wss?uid=swg22005058 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002336 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22002335 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand *** http://www-01.ibm.com/support/docview.wss?uid=swg22000488 --------------------------------------------- *** Siemens Security Advisories *** --------------------------------------------- *** SSA-804859 (Last Update 2017-07-06): Denial of Service Vulnerability in SIMATIC Logon *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-804859… --------------------------------------------- *** SSA-874235 (Last Update 2017-07-06): Intel Vulnerability in Siemens Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… --------------------------------------------- *** SSA-275839 (Last Update 2017-07-06): Denial-of-Service Vulnerability in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… --------------------------------------------- *** SSA-931064 (Last Update 2017-07-06): Authentication Bypass in SIMATIC Logon *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-931064… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Nexus Series Switches Telnet CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Nexus Series Switches CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco FireSIGHT System Software Arbitrary Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wide Area Application Services Central Manager Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wide Area Application Services Core Dump Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework Staging Server Arbitrary Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework AutoVNF Log File User Credential Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework UAS Unauthenticated Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco StarOS Border Gateway Protocol Process Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Network Privilege Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Identity Services Engine Guest Portal Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Multicast Source Discovery Protocol Session Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Incorrect Permissions Privilege Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Elastic Services Controller Unauthorized Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Network Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco StarOS CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 5-07-2017
by Daily end-of-shift report 05 Jul '17

05 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-07-2017 18:00 − Mittwoch 05-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** #NoPetya-Attacke hinterließ Sicherheitslücke *** --------------------------------------------- Der weltweite Cyberangriff in der vergangenen Woche hat schwerwiegendere Folgen als bislang bekannt. --------------------------------------------- https://futurezone.at/digital-life/nopetya-attacke-hinterliess-sicherheitsl… *** Cyber-Attacke NotPetya: Angebliche Angreifer wollen 250.000 Euro für Datenrettung *** --------------------------------------------- Die mutmaßlichen Entwickler der Schadsoftware NotPetya wollen gegen 100 Bitcoin (fast 250.000 Euro) einen Schlüssel herausgeben, mit dem die Daten zu retten sein sollen. Ob sie Wort halten, ist unklar. Beobachter vermuten andere Motive hinter der Wendung. --------------------------------------------- https://heise.de/-3764208 *** Ukrainian Police Seize Servers From Where NotPetya Outbreak First Spread *** --------------------------------------------- Ukrainian Police announced today it seized the servers from where the NotPetya ransomware outbreak first started to spread. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-serve… *** The day a mysterious cyber-attack crippled Ukraine *** --------------------------------------------- On the morning of Tuesday, 27 June, Oleh Derevianko, the head of Kiev-based cybersecurity firm Information Security Systems Partners (ISSP), was at Bessarabska market, a popular food market in the heart of downtown. Derevianko was picking up a few things before heading out for the 300km drive to his parents' village. Wednesday was constitution day in Ukraine, a national holiday, and he'd be using the mid-week break to spend a couple days with his kids. --------------------------------------------- http://www.bbc.com/future/story/20170704-the-day-a-mysterious-cyber-attack-… *** NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web *** --------------------------------------------- The person or group behind the NotPetya ransomware has made its first move since the outbreak that took place eight days ago. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/notpetya-group-moves-all-the… *** Doctor Web: M.E.Doc backdoor lets cybercriminals access computers *** --------------------------------------------- July 4, 2017 Doctor Web security researchers examined the update module M.E.Doc and discovered that it is involved in the distribution of at least one other malicious program. You may recall that independent researchers named specifically this M.E.Doc update module as the source of the recent outbreak of the encryption worm Trojan.Encoder.12544, also known as NePetya, Petya.A, ExPetya and WannaCry-2. M.E.Doc is tax accounting software that is popular in Ukraine. --------------------------------------------- http://news.drweb.com/show/?i=11363&lng=en&c=9 *** Qubes OS im Test: Linux sicher und nutzerfreundlich? *** --------------------------------------------- Anwendungen und Einsatzbereiche voneinander per Virtualisierung trennen, gleichzeitig eine für den regulären Nutzer einfach zu bedienende Desktop-Oberfläche bieten: Das Qubes-OS-Projekt hat sich einiges vorgenommen. --------------------------------------------- https://heise.de/-3764500 *** Österreich im Bereich Cybersicherheit auf Platz 30 *** --------------------------------------------- Große Industriestaaten schneiden bei der Cybersicherheit einer UN-Studie zufolge teils schlechter ab als einige deutlich ärmere Staaten. --------------------------------------------- https://futurezone.at/digital-life/oesterreich-im-bereich-cybersicherheit-a… *** Introducing Linux Support for FakeNet-NG: FLARE's Next GenerationDynamic Network Analysis Tool *** --------------------------------------------- Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware analysis and reverse engineering. Since FakeNet-NG's release, FLARE has added support for additional protocols. FakeNet-NG now has out-of-the-box support for DNS, HTTP (including BITS), FTP, TFTP, [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-faken… *** The Hardware Forensic Database *** --------------------------------------------- The Hardware Forensic Database (or HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools. --------------------------------------------- http://hfdb.io/ *** Kundendaten: Datenleck bei der Deutschen Post *** --------------------------------------------- Eine Datenbank mit 200.000 Umzugsmitteilungen der Post lag ungeschützt im Netz. Tausende andere Firmen aus aller Welt haben exakt den gleichen Fehler gemacht. --------------------------------------------- https://www.golem.de/news/kundendaten-datenleck-bei-der-deutschen-post-1707… *** Vulnerability Spotlight: Dell Precision Optimizer and Invincea Vulnerabilities *** --------------------------------------------- Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user. --------------------------------------------- http://blog.talosintelligence.com/2017/06/vulnerability-spotlight-dell-prec… *** Security Advisory - DoS Vulnerability in TLS of Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170705-… *** rt-sa-2017-011 *** --------------------------------------------- Remote Command Execution in PDNS Manager --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2017-011.txt *** DFN-CERT-2017-1159: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1159/ *** IBM Security Bulletin: Incorrect saved channel status enquiry could cause denial of service for IBM MQ (CVE-2017-1236) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003510 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005108 *** IBM Security Bulletin: RabbitMQ vulnerability affect IBM Cloud Manager with OpenStack (CVE-2015-8786) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025403

1 0

Tageszusammenfassung - Dienstag 4-07-2017
by Daily end-of-shift report 04 Jul '17

04 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-07-2017 18:00 − Dienstag 04-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Yet more reasons to disagree with experts on nPetya *** --------------------------------------------- In WW II, they looked at planes returning from bombing missions that were shot full of holes. Their natural conclusion was to add more armor to the sections that were damaged, to protect them in the future. But wait, said the statisticians. The original damage is likely spread evenly across the plane. Damage on returning planes indicates where they could damage and still return. The undamaged areas are where they were hit and couldnt return. Thus, its the undamaged areas you need to [...] --------------------------------------------- http://blog.erratasec.com/2017/07/yet-more-reasons-to-disagree-with.html *** Analysis of TeleBots cunning backdoor *** --------------------------------------------- On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors' intention was to cause damage, so they did all that they could to make data decryption very unlikely. --------------------------------------------- https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-back… *** GnuPG crypto library cracked, look for patches *** --------------------------------------------- Boffins bust libgcrypt via side-channel Linux users need to check out their distributions to see if a nasty bug in libgcrypt20 has been patched. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/07/04/gnupg_crypt… *** Cryptology ePrint Archive: Report 2017/627 *** --------------------------------------------- Sliding right into disaster: Left-to-right sliding windows leak Abstract: It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery [...] --------------------------------------------- https://eprint.iacr.org/2017/627 *** ERCIM News 110 published - Special theme "Blockchain Engineering" *** --------------------------------------------- The ERCIM News No. 110 has just been published at with a special theme on "Blockchain Engineering". SBA Research contributes two articles in this issue. The first article is by Aljosha Judmayer, Alexei Zamyatin, Nicholas Stifter and Edgar Weippl on [...] --------------------------------------------- https://www.sba-research.org/2017/07/03/ercim-news-110-published-special-th… *** Joomla! 3.7.3 Release *** --------------------------------------------- Security Issues Fixed Core - Information Disclosure (affecting Joomla 1.7.3-3.7.2) Core - XSS Vulnerability (affecting Joomla 1.7.3-3.7.2) Core - XSS Vulnerability (affecting Joomla 1.5.0-3.6.5) --------------------------------------------- https://www.joomla.org/announcements/release-news/5709-joomla-3-7-3-release… *** Petya Malware Variant (Update A) *** --------------------------------------------- This updated alert is a follow-up to the original alert titled ICS-ALERT-17-181-01 Petya Ransomware Variant that was published June 30, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01A *** RSA Archer eGRC Multiple Flaws Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks and Let Remote Authenticated Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1038815 *** DFN-CERT-2017-1145: Apache Subversion: Eine Schwachstelle ermöglicht die Manipulation von Daten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1145/ *** SSA-563539 (Last Update: 2017-07-04): Vulnerabilities in OZW672 and OZW772 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-563539… *** SSA-323211 (Last Update: 2017-07-04): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211… *** SSA-452237 (Last Update: 2017-07-04): Vulnerabilities in Reyrolle *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-452237… *** IBM Security Bulletin: Weak Cipher available in IBM API Connect (CVE-2015-2808) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003868 *** IBM Security Bulletin: Multiple vulnerabilities in Open Source zlib affects IBM Netezza Platform Software clients (CVE-2016-9840, CVE-2016-9841 and CVE-2016-9843). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001026

1 0

Tageszusammenfassung - Montag 3-07-2017
by Daily end-of-shift report 03 Jul '17

03 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 30-06-2017 18:00 − Montag 03-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** From Pass-the-Hash to Pass-the-Ticket with No Pain *** --------------------------------------------- We are all grateful to the Microsoft which gave us the possibility to use the "Pass the Hash" technique! In short: if we have the NTLM hashes of the user password, we can authenticate against the remote system without knowing the real password, just using the hashes. Things were (finally) changing, starting from Windows 7, [...] --------------------------------------------- http://resources.infosecinstitute.com/pass-hash-pass-ticket-no-pain/ *** SQL Injection Vulnerability in WP Statistics *** --------------------------------------------- As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues. While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites. Are You at Risk? This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right [...] --------------------------------------------- https://blog.sucuri.net/2017/06/sql-injection-vulnerability-wp-statistics.h… *** OutlawCountry Is CIAs Malware for Hacking Linux Systems *** --------------------------------------------- WikiLeaks dumped today a manual describing a new CIA malware strain. Called OutlawCountry, this is malware designed for Linux operating systems. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/outlawcountry-is-cias-malwar… *** So You Think You Can Spot a Skimmer? *** --------------------------------------------- This week marks the 50th anniversary of the automated teller machine -- better known to most people as the ATM or cash machine. Thanks to the myriad methods thieves have devised to fleece unsuspecting cash machine users over the years, there are now more ways than ever to get ripped off at the ATM. Think youre good at spotting the various scams? A newly released ATM fraud inspection guide may help you test your knowledge. --------------------------------------------- https://krebsonsecurity.com/2017/06/so-you-think-you-can-spot-a-skimmer/ *** PE Section Name Descriptions, (Sun, Jul 2nd) *** --------------------------------------------- PE files (.exe, .dll, ...) have sections: a section with code, one with data, ... Each section has a name, and different compilers use different section names. Section names can help us identify the compiler and the type of PE file we are analyzing. --------------------------------------------- https://isc.sans.edu/diary/rss/22576 *** TLS security: Past, present and future *** --------------------------------------------- The Transport Layer Security (TLS) protocol as it stands today has evolved from the Secure Sockets Layer (SSL) protocol from Netscape Communications and the Private Communication Technology (PCT) protocol from Microsoft that were developed in the 1990s, mainly to secure credit card transactions over the Internet. It soon became clear that a unified standard was required, and an IETF TLS WG was tasked. As a result, TLS 1.0 was specified in 1999, TLS 1.1 in [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/07/03/tls-security/ *** Achtung, Fake: Nein, Billa verlost keinen 250-Euro-Gutschein auf Whatsapp *** --------------------------------------------- Der Kettenbrief verbreitet sich momentan rasant - Verlinkung auf mysteriöse Seite --------------------------------------------- http://derstandard.at/2000060650645 *** WSUSpendu? What for? *** --------------------------------------------- At BlackHat USA 2015, the WSUSpect attack scenario has been released. Approximately at the same time, some french engineers have been wondering if it would be possible to use a compromised WSUS server to extend the compromise to its clients, similarly to this WSUSpect attack. After letting this topic rest for almost two years, weve been able, at Alsid and ANSSI, to demonstrate this attack. --------------------------------------------- https://github.com/AlsidOfficial/WSUSpendu *** SB17-184: Vulnerability Summary for the Week of June 26, 2017 *** --------------------------------------------- Original release date: July 03, 2017 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit [...] --------------------------------------------- https://www.us-cert.gov/ncas/bulletins/SB17-184 *** DSA-3901 libgcrypt20 - security update *** --------------------------------------------- Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal andYuval Yarom discovered that Libgcrypt is prone to a local side-channelattack allowing full key recovery for RSA-1024. --------------------------------------------- https://www.debian.org/security/2017/dsa-3901 *** Bugtraq: [CVE-2017-9313] Webmin 1.840 Multiple XSS Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540794 *** Microsoft Dynamics CRM Input Validation Flaw in SyncFilterPage.aspx Lets Remote Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1038813 *** FortiWLM upgrade user account hard-coded credentials *** --------------------------------------------- FortiWLM has a hard-coded password for its "upgrade" user account, which it uses to transfer files to and from the FortiWLC controller. Having the upgrade account credentials would allow an attacker to transfer files to any attached or previously attached controllers as an admin user, thus raising potential further security issues. --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-115 *** F5 Security Advisories *** --------------------------------------------- *** BIND vulnerability CVE-2017-3142 *** https://support.f5.com/csp/article/K59448931 --------------------------------------------- *** BIND vulnerability CVE-2017-3143 *** https://support.f5.com/csp/article/K02230327 --------------------------------------------- *** GnuTLS vulnerability CVE-2017-7507 *** https://support.f5.com/csp/article/K37830055 --------------------------------------------- *** Novell Patches *** --------------------------------------------- *** Sentinel 8.1 (Sentinel 8.1.0.0) Build 3732 *** https://download.novell.com/Download?buildid=SISjocZzgJM~ --------------------------------------------- *** eDirectory 9.0.3 Patch 1 (9.0.3.1) *** https://download.novell.com/Download?buildid=_f8Eq87R-gs~ --------------------------------------------- *** eDirectory 8.8 SP8 Patch 10 HotFix 1 *** https://download.novell.com/Download?buildid=z1R5CZBTHBM~ --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Improper Authentication vulnerability affects IBM Security Guardium (CVE-2017-1264) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004425 --------------------------------------------- *** IBM Security Bulletin: IBM Security Guardium is affected by XML External Entity vulnerability (CVE-2017-1254) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004463 --------------------------------------------- *** IBM Security Bulletin: OS Command Injection vulnerability affects IBM Security Guardium (CVE-2017-1253 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004426 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a local user to obtain sensitive information due to inappropriate data retention of attachments(CVE-2017-1176) *** http://www-01.ibm.com/support/docview.wss?uid=swg22005210 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection(CVE-2017-1175) *** http://www-01.ibm.com/support/docview.wss?uid=swg22005212 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting(CVE-2017-1208) *** http://www-01.ibm.com/support/docview.wss?uid=swg22005243 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service *** http://www-01.ibm.com/support/docview.wss?uid=swg22001007 --------------------------------------------- *** IBM Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg21999760 --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Team Concert *** http://www.ibm.com/support/docview.wss?uid=swg22004611 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in NTP and OpenSSL affect IBM Netezza Firmware Diagnostics *** http://www-01.ibm.com/support/docview.wss?uid=swg21997020 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect SmartCloud Entry *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025357 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg22005345 --------------------------------------------- *** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Information Disclosure vulnerability *** http://www.ibm.com/support/docview.wss?uid=swg22005382 --------------------------------------------- *** IBM Security Bulletin: IBM Integration Bus and WebSphere Message Broker are affected by Unquoted Search Path or Element (CWE-428) Vulnerability on Windows *** http://www.ibm.com/support/docview.wss?uid=swg22005383 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect WebSphere Message Broker and IBM Integration Bus *** http://www.ibm.com/support/docview.wss?uid=swg22005335 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Open Source Botan affects IBM Netezza Platform Software clients (CVE-2016-2849). *** http://www-01.ibm.com/support/docview.wss?uid=swg22001108 --------------------------------------------- *** IBM Security Bulletin: WebSphere Message Broker and IBM Integration Bus are affected by Open Source Tomcat vulnerability *** http://www.ibm.com/support/docview.wss?uid=swg22005331 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 30-06-2017
by Daily end-of-shift report 30 Jun '17

30 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 29-06-2017 18:00 − Freitag 30-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Eternal Champion Exploit Analysis *** --------------------------------------------- Recently, a group named the ShadowBrokers published several remote server exploits targeting various protocols on older versions of Windows. In this post we are going to look at the EternalChampion exploit in detail to see what vulnerabilities it exploited, how it exploited them, and how the latest mitigations in Windows 10 break the exploit as-written.... --------------------------------------------- https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit… *** Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone *** --------------------------------------------- A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-… *** Sicherheitsupdates angekündigt: Ciscos IOS-System ist für Schadcode anfällig *** --------------------------------------------- Bisher können Betroffene die Bedrohung durch neu entdeckte Schwachstellen in Ciscos IOS und IOS EX nur über Workarounds eindämmen. Sicherheitspatches sollen folgen. --------------------------------------------- https://heise.de/-3759927 *** e-Government in Deutschland: Kritische Schwachstellen in zentraler Transportkomponente *** --------------------------------------------- You can find the English version of this post here containing further technical details.Die "OSCI-Transport" Java-Bibliothek ist eine Kernkomponente im deutschen e-Government. Schwachstellen in dieser Komponente erlauben es einem Angreifer, bestimmte zwischen Behörden ausgetauschte Informationen zu entschlüsseln oder zu manipulieren bzw. sogar Daten von Behördenrechnern auszulesen.OSCI-Transport ist ein Protokoll, das dazu dient Daten zwischen Behörden sicher [...] --------------------------------------------- http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachstel… *** Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation *** --------------------------------------------- On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers. Using ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-ana… *** Eternal Blues: A free EternalBlue vulnerability scanner *** --------------------------------------------- It is to be hoped that after the WannaCry and NotPetya outbreaks, companies will finally make sure to install - on all their systems - the Windows update that patches SMB vulnerabilities leveraged by the EternalBlue and EternalRomance exploits. These exploits are currently available to practically any hacker who might want to use them, and protecting systems against them should be a must for every organization. But while bigger ones might have an IT department [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/06/30/eternal-blues-eternalblue-vulner… *** Cyber Europe 2016: Key lessons from a simulated cyber crisis *** --------------------------------------------- Today marks the end of the latest cyber crisis exercise organised by ENISA, with the release of the after action report and closure video of Cyber Europe 2016. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2016-key-lessons-f… *** TeleBots are back: supply-chain attacks against Ukraine *** --------------------------------------------- The latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many details about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about previously unpublished attacks. --------------------------------------------- https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attack… *** How Malicious Websites Infect You in Unexpected Ways *** --------------------------------------------- You probably spend most of your time on a PC browsing, whether that is Facebook, news or just blogs or pages that appeal to your particular interest. If a malicious hacker wants to break into your computer and scramble the kilobytes that make up your digital life, his starting point will be to create a [...] --------------------------------------------- https://heimdalsecurity.com/blog/malicious-websites/ *** SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software *** --------------------------------------------- The Simple Network Management Protocol(SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Schneider Electric U.motion Builder *** --------------------------------------------- This advisory contains mitigation details for SQL injection, path traversal, improper authentication, use of hard-coded password, improper access control, denial of service, and information disclosure vulnerabilities in Schneider Electric's U.motion Builder. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-180-02 *** BIND TSIG Authentication Bugs Let Remote Users Bypass Authentication to Transfer or Modify Zone Conetnt *** --------------------------------------------- http://www.securitytracker.com/id/1038809 *** SSA-545214 (Last Update 2017-06-29): Vulnerability in ViewPort for Web Office Portal *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-545214… *** SSA-874235 (Last Update 2017-06-29): Intel Vulnerability in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… *** 2017-06-16 (updated 2017-06-30): Cyber Security Notification - CrashOverride/Industroyer Malware *** --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang… *** [2017-06-30] Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government *** --------------------------------------------- The OSCI-transport library 1.2, a core component of Germanys e-government infrastructure, is affected by XXE, padding oracle and signature wrapping. These vulnerabilities could be used to read local files from OSCI-systems, decrypt certain parts of a message or, under specific circumstances, even to forge messages. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin:OpenSource ICU4C Vulnernabilties in IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg21996949 --------------------------------------------- *** IBM Security Bulletin:Cross-site scripting vulnerability in WebSphere Application Server admin console in IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21998348 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg21996957 --------------------------------------------- *** IBM Security Bulletin: WebSphere Application Server vulnerability with malformed SOAP requests in IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21998347 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections *** https://www-01.ibm.com/support/docview.wss?uid=swg21999097 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint *** https://www-01.ibm.com/support/docview.wss?uid=swg21999099 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for File Systems *** https://www-01.ibm.com/support/docview.wss?uid=swg21999105 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21999106 --------------------------------------------- *** IBM Security Bulletin: Open Source Apache PDFBox Vulnerability in IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg21991027 --------------------------------------------- *** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections *** https://www-01.ibm.com/support/docview.wss?uid=swg21999098 --------------------------------------------- *** IBM Security Bulletin: zlib vulnerability may affect IBM SDK, Java Technology Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg22004465 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in Intel Ethernet Controller XL710 affects IBM MQ Appliance *** http://www-01.ibm.com/support/docview.wss?uid=swg22002763 --------------------------------------------- *** IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Security Guardium (CVE-2017-1256) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004461 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in openssl, gnutl, mysql, kernel, glibc, ntp shipped with SmartCloud Entry Appliance *** http://www.ibm.com/support/docview.wss?uid=isg3T1025342 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect Content Collector for IBM Connections *** https://www-01.ibm.com/support/docview.wss?uid=swg22001465 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM eDiscovery Analyzer *** https://www-01.ibm.com/support/docview.wss?uid=swg22001458 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Microsoft SharePoint *** https://www-01.ibm.com/support/docview.wss?uid=swg22001455 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for File Systems *** https://www-01.ibm.com/support/docview.wss?uid=swg22001463 --------------------------------------------- *** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg22001460 --------------------------------------------- *** IBM Security Bulletin: WebSphere Application Server vulnerability in IBM Content Collector for Email *** https://www-01.ibm.com/support/docview.wss?uid=swg21998346 --------------------------------------------- *** IBM Security Bulletin: SQL Injection vulnerability affects IBM Security Guardium (CVE-2017-1269) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004462 --------------------------------------------- *** IBM Security Bulletin: Missing Authentication for Critical Function affects IBM Security Guardium (CVE-2017-1258) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004309 --------------------------------------------- *** IBM Security Bulletin: IBM InfoSphere Guardium is affected by Cleartext Transmission of Sensitive Information vulnerability (CVE-2016-0238 ) *** http://www-01.ibm.com/support/docview.wss?uid=swg21989124 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM HTTP Server affects Netezza Performance Portal (CVE-2015-8743) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003173 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 29-06-2017
by Daily end-of-shift report 29 Jun '17

29 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 28-06-2017 18:00 − Donnerstag 29-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Petya/NotPetya: Kein Erpressungstrojaner sondern ein "Wiper" *** --------------------------------------------- Nach eingehenden Analysen des Schädlings NotPetya sind sich die meisten Experten einig: Der Schädling hatte es nicht auf Geld abgesehen sondern auf Randale, sprich: auf möglichst großen Datenverlust bei den Opfern. --------------------------------------------- https://heise.de/-3759293 *** Update on Petya malware attacks *** --------------------------------------------- As happened recently with WannaCrypt, we again face a malicious attack in the form of ransomware, Petya. In early reports, there was a lot of conflicting information reported on the attacks, including conflation of unrelated and misleading pieces of data, so Microsoft teams mobilized to investigate and analyze, enabling our Malware Protection team to release... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware… *** Websites Grabbing User-Form Data Before Its Submitted *** --------------------------------------------- Websites are sending information prematurely:...we discovered NaviStones code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.This is important because it goes [...] --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/websites_grabbi.html *** Microsoft Announces "Controlled Folder Access" to Fend Off Crypto-Ransomware *** --------------------------------------------- This fall, Microsoft plans to release a new Windows Defender feature called Controlled Folder Access, which blocks and blacklists unauthorized apps from making changes to files located inside specially-designated folders. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-announces-control… *** DFN-CERT-2017-1124: Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. verschiedene Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1124/ *** Symantec Management Console XSS/XXE Issues *** --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Kaspersky Anti-Virus for Linux File Server Multiple Flaws Let Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks, Remote Authenticated Users View Files on the Target System, and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1038798 *** Bugtraq: ESA-2017-062: VASA Provider Virtual Appliance Remote Code Execution Vulnerability *** --------------------------------------------- http://www.securityfocus.com/archive/1/540783 *** 2017-06-16 (updated 2017-06-27): Cyber Security Notification - CrashOverride/Industroyer Malware *** --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&Lang… *** SMTP - Moderatley Critical - Information Disclosure - SA-CONTRIB-2017-055 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-055Project: SMTP Authentication Support (third-party module)Version: 7.x, 8.xDate: 2017-June-28Security risk: 10/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Information DisclosureDescriptionThis SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged [...] --------------------------------------------- https://www.drupal.org/node/2890357 *** Services - Critical - SQL Injection - SA-CONTRIB-2017-054 *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-054Project: Services (third-party module)Version: 7.xDate: 2017-June-28Security risk: 19/25 ( Critical) AC:None/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: SQL InjectionDescriptionThis module provides a standardized solution for building APIs so that external clients can communicate with Drupal.The module doesnt sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it.This vulnerability is [...] --------------------------------------------- https://www.drupal.org/node/2890353 *** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affecting IBM Application Delivery Intelligence v1.0.1, v1.0.1.1, v1.0.2 and v5.0.2. (CVE-2017-3539, CVE-2016-9840, CVE-2016-9841,CVE-2016-9842, CVE-2016-9843) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005365 *** IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2017-1217) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004348 *** IBM Security Bulletin: Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX (CVE-2017-3514, CVE-2017-3512, CVE-2017-3511, CVE-2017-3509, CVE-2017-3544, CVE-2017-3533, CVE-2017-3539, CVE-2017-1289, CVE-2016-9840, CVE-2016-9841, *** --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/java_apr2017_advisory.asc

1 0

Tageszusammenfassung - Mittwoch 28-06-2017
by Daily end-of-shift report 28 Jun '17

28 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 27-06-2017 18:00 − Mittwoch 28-06-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Newport XPS-Cx, XPS-Qx *** --------------------------------------------- This advisory contains mitigation details for an improper authentication vulnerability in the Newport XPS-Cx and XPS-Qx controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-178-01 *** Schroedinger’s Pet(ya) *** --------------------------------------------- Earlier today (June 27th), we received reports about a new wave of ransomware attacks spreading around the world, primarily targeting businesses in Ukraine, Russia and Western Europe. Our investigation is ongoing and our findings are far from final at this time. Despite rampant public speculation, the following is what we can confirm from our independent analysis. --------------------------------------------- http://securelist.com/schroedingers-petya/78870/ *** Microsoft bringing EMET back as a built-in part of Windows 10 *** --------------------------------------------- The built-in exploit mitigations are getting stronger and easier to configure. --------------------------------------------- https://arstechnica.com/?p=1124813 *** Citrix XenServer Multiple Security Updates *** --------------------------------------------- A number of security issues have been identified within Citrix XenServer. These issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues .. --------------------------------------------- https://support.citrix.com/article/CTX224740 *** New ransomware, old techniques: Petya adds worm capabilities *** --------------------------------------------- On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-tech… *** DFN-CERT-2017-1114/">systemd: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff und die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1114/ *** DFN-CERT-2017-1112/">Microsoft Azure Active Directory (AD) Connect: Eine Schwachstelle ermöglicht eine Privilegieneskalation *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1112/ *** DSA-3900 openvpn - security update *** --------------------------------------------- Several issues were discovered in openvpn, a virtual private network application. --------------------------------------------- https://www.debian.org/security/2017/dsa-3900 *** Security Advisory - DoS Vulnerability of isub Service in Some Huawei Smartphones *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170628-… *** HPESBGN03763 rev.1 - HPE SiteScope, Disclosure of Sensitive Information, Bypass Security Restriction, Remote Arbitrary Code Execution *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE SiteScope. The vulnerabilities could be exploited to allow disclosure of sensitive information, bypass security restriction, and remote arbitrary code execution. --------------------------------------------- http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=hpesbgn03763en_us *** Linux-Kernel-Security: Torvalds bezeichnet Grsecurity als "Müll" *** --------------------------------------------- Mit seinem wie üblich wenig diplomatischen Feingefühl machte Kernel-Chefhacker Linus Torvalds auf der Kernel-Mailingliste deutlich, was er von dem auf Sicherheit fokussierten .. --------------------------------------------- https://www.golem.de/news/linux-kernel-security-torvalds-bezeichnet-grsecur… *** Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS *** --------------------------------------------- Last month we shared statistics on some popular reflection attacks. Back then the average SSDP attack size was ~12 Gbps and largest SSDP reflection we recorded was:30 Mpps (millions of packets per second)80 .. --------------------------------------------- https://blog.cloudflare.com/ssdp-100gbps/

1 0

Tageszusammenfassung - Dienstag 27-06-2017
by Daily end-of-shift report 27 Jun '17

27 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 26-06-2017 18:00 − Dienstag 27-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Petya Ransomware Outbreak *** --------------------------------------------- Heute hat es in mehreren Firmen in Europa IT-Ausfälle durch Ransomware gegeben. Dabei dürfte die Ransomware auch ein "lateral movement" innerhalb einer Organisation durchführen, und so eine breitflächige Infektion und damit Verschlüsselung erreichen. Die Faktenlage zu den genauen Vektoren, sowohl für die initiale Infektion, als auch für die Weiterverbreitung innerhalb des lokalen Netzes, ist noch sehr dünn und [...] --------------------------------------------- http://www.cert.at/services/blog/20170627170903-2046.html *** Second Global Ransomware Outbreak Under Way *** --------------------------------------------- A massive ransomware outbreak is spreading globally and being compared to WannaCry. --------------------------------------------- http://threatpost.com/second-global-ransomware-outbreak-under-way/126549/ *** E-Mails über angebliche Verkehrsstrafen *** --------------------------------------------- E-Mails über angebliche Verkehrsstrafen – ACHTUNG: dahinter verbirgt sich Schadsoftware --------------------------------------------- http://www.bmi.gv.at/cms/BK/betrug/files/2762017_E_Mails_ber_angebliche_Ver… *** How Spora ransomware tries to fool antivirus *** --------------------------------------------- Spora ransomware is back and its trying to confuse antivirus products and email filters. --------------------------------------------- http://feedproxy.google.com/~r/nakedsecurity/~3/fpIDs0aHpNY/ *** $1 Million Ransomware Payment Has Spurred New DDoS-for-Bitcoin Attacks *** --------------------------------------------- The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/-1-million-ransomware-paymen… *** How Not to Encrypt a File - Courtesy of Microsoft *** --------------------------------------------- A client recently sent me a crypto spec which involved some, how do I say, suboptimal use of crypto primitives. They're .Net users so I decided to search for a nice msdn crypto reference to set them straight. Instead I found the likely culprit behind their confusion. --------------------------------------------- https://medium.com/@bob_parks1/how-not-to-encrypt-a-file-courtesy-of-micros… *** New Shifr RaaS Lets Any Dummy Enter the Ransomware Business *** --------------------------------------------- Several security researchers have spotted a new Ransomware-as-a-Service (RaaS) portal over the weekend that lets anyone generate their own ransomware executable just by filling in three form fields and pressing a button. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shifr-raas-lets-any-dumm… *** What's new in Windows Defender ATP Fall Creators Update *** --------------------------------------------- When we introduced Windows Defender Advanced Threat Protection (Windows Defender ATP), our initial focus was to reduce the time it takes companies to detect, investigate, and respond to advanced attacks. The Windows Fall Creators Update represents a new chapter in our product evolution as we offer a set of new prevention capabilities designed to stop... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-de… *** Micro Focus GroupWise Mobility Service 2014 R2 Support Pack 2 Hot Patch 2 *** --------------------------------------------- Abstract: Micro Focus GroupWise Mobility Service 2014 R2 Support Pack 2 HP2 has been released. Please see the details section below for installation instructions and the change log section for bug fixes since the last release. NOTE: Please do not continue using older versions of GMS SSLCheck. It has been superceded by GroupWise Mobility Service SSLCheck 1.1 found here: http://download.novell.com/Download?buildid=9naDJkniVtg~Document ID: 5311890Security Alert: YesDistribution Type: [...] --------------------------------------------- https://download.novell.com/Download?buildid=SIbPzOKmofQ~ *** SSA-874235 (Last Update 2017-06-26): Intel Vulnerability in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM PureApplication System *** http://www-01.ibm.com/support/docview.wss?uid=swg22005209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK Java Technology Edition Version 6, 7, 8 and IBM Runtime Environment Java Version 6, 7, 8 in IBM FileNet Content Manager, and IBM Content Foundation *** http://www.ibm.com/support/docview.wss?uid=swg22003154 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects IBM PureApplication System (CVE-2017-3731) *** http://www.ibm.com/support/docview.wss?uid=swg22005135 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilites in IBM Java Runtime Affect Optim Data Growth, Test Data Management and Application Retirement *** http://www-01.ibm.com/support/docview.wss?uid=swg22003285 --------------------------------------------- *** IBM Security Bulletin: Security vulnerability in SWF files shipped with IBM Cúram Social Program Management (CVE-2017-1106) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004580 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 26-06-2017
by Daily end-of-shift report 26 Jun '17

26 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 23-06-2017 18:00 − Montag 26-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Erneut kritische Lücke in Windows Defender & Co *** --------------------------------------------- Alle AV-Produkte aus dem Hause Microsoft wiesen einen kritischen Fehler auf, der es erlaubte, Windows-Systeme zu kapern. Dazu genügte es, wenn die AV-Software etwa eine Datei in einer E-Mail oder auf der Festplatte auf Schadcode untersucht. --------------------------------------------- https://heise.de/-3756013 *** Brutal Kangaroo: CIA-Werkzeug infiziert Rechner per USB-Stick *** --------------------------------------------- WikiLeaks hat geheime CIA-Dokumente veröffentlicht, in denen eine Werkzeug-Suite beschrieben ist, mit der sich via USB-Stick Informationen von Rechnern abgreifen lassen, die nicht mit dem Internet verbunden sind. --------------------------------------------- https://heise.de/-3754923 *** Aktuelle Intel-Prozessoren von "Albtraum"-Bug geplagt *** --------------------------------------------- Debian-Projekt spürt Fehler auf, der zu Datenverlust unter allen Betriebssystemen führen kann --------------------------------------------- http://derstandard.at/2000059819966 *** Cyber-Angriffe auf private E-Mail-Postfächer von Funktionsträgern *** --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) beobachtet derzeit professionelle Cyber-Angriffe auf private E-Mail-Postfächer von Funktionsträgern aus Wirtschaft und Verwaltung. Bei dieser Angriffskampagne werden täuschend echt erscheinende Spearphishing-Mails an ausgewähltes Spitzenpersonal gesandt. Die Angreifer geben beispielsweise vor, Auffälligkeiten bei der Nutzung des Postfachs [...] --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/Spearphishi… *** Traveling with a Laptop / Surviving a Laptop Ban: How to Let Go of "Precious", (Mon, May 29th) *** --------------------------------------------- For a few months now, passengers on flights from certain countries are no longer allowed to carry laptops and other larger electronic devices into the cabin. Many news media reported over the last weeks that this policy may be expanded to flight from Europe, or to all flights entering the US. But even if you get to keep your laptop with you during your flight, it is difficult to keep it at your site when you travel. So regardless if this ban materializes or not (right now it looks like it will [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22462 *** Malware: Der unvollständige Ransomware-Schutz von Windows 10 S *** --------------------------------------------- Windows 10 S soll vor Ransomware schützen - sagt Microsoft. Einem Sicherheitsforscher gelang es trotzdem, innerhalb weniger Stunden Zugriff auf Systemprozesse zu bekommen. --------------------------------------------- https://www.golem.de/news/malware-der-unvollstaendige-ransomware-schutz-von… *** Look, But Dont Touch: One Key to Better ICS Security *** --------------------------------------------- Better visibility is essential to improving the cybersecurity of industrial control systems and critical infrastructure, but the OT-IT cultural divide must be united. --------------------------------------------- https://www.darkreading.com/vulnerabilities---threats/look-but-dont-touch-o… *** Blocks and Chains now available *** --------------------------------------------- Our book has just been published: Blocks and Chains: Introduction to Bitcoin, Cryptocurrencies, and Their Consensus Mechanisms. Aljosha Judmayer, Nicholas Stifter, Katharina Krombholz, and Egar Weippl --------------------------------------------- https://www.sba-research.org/2017/06/24/blocks-and-chains-now-available/ *** DFN-CERT-2017-1100: Microsoft Malware Protection Engine: Eine Schwachstelle ermöglicht die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1100/ *** Security Advisories Relating to Symantec Products - Symantec Messaging Gateway Multiple Vulnerabilities *** --------------------------------------------- Symantec has released an update to address three issues that were discovered in the Symantec Messaging Gateway (SMG). --------------------------------------------- https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=s… *** Vuln: Multiple Pivotal Products CVE-2017-4974 SQL Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/99254 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: API security restrictions can be bypassed in IBM API Connect (CVE-2017-1328) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003867 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Cross Site Scripting. (CVE-2017-1234) *** http://www.ibm.com/support/docview.wss?uid=swg22004948 --------------------------------------------- *** IBM Security Bulletin: Docker and Python as used in IBM QRadar SIEM is vulnerable to various CVEs. *** http://www.ibm.com/support/docview.wss?uid=swg22004947 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Global Mailbox in IBM Sterling B2B Integrator (CVE-2015-5262, CVE-2014-3577) *** http://www-01.ibm.com/support/docview.wss?uid=swg22005149 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM has weak password requirements. (CVE-2016-9738) *** http://www.ibm.com/support/docview.wss?uid=swg22004926 --------------------------------------------- *** IBM Security Bulletin: IBM QRadar SIEM is missing HSTS header. (CVE-2016-9972) *** http://www.ibm.com/support/docview.wss?uid=swg22004925 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions (Multiple CVEs) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003998 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator *** http://www.ibm.com/support/docview.wss?uid=swg22004713 --------------------------------------------- *** IBM Security Bulletin: Vulnerability affects WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-3092) *** http://www-01.ibm.com/support/docview.wss?uid=swg2C1000300 --------------------------------------------- *** IBM Security Bulletin: October 2015 Java Platform Standard Edition Vulnerabilities in Multiple N Series Products *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009992 --------------------------------------------- *** IBM Security Bulletin: July 2014 Java Runtime Environment (JRE) Vulnerabilities in Multiple N series Products *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009972 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 23-06-2017
by Daily end-of-shift report 23 Jun '17

23 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 22-06-2017 18:00 − Freitag 23-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Getting ready for the European Cyber Security Month 2017 *** --------------------------------------------- 100 days left for the launch of the European Cyber Security Month, the EU annual advocacy campaign which takes place in October supported by ENISA and EC DG CONNECT with the participation of many partners from all over Europe. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/getting-ready-for-the-european-… *** Microsoft Says Fireball Threat ‘Overblown’ *** --------------------------------------------- Check Point has toned down its initial estimates on the number of Fireball malware infections from 250 million machines and 20 percent of corporate networks to 40 million computers. --------------------------------------------- http://threatpost.com/microsoft-says-fireball-threat-overblown/126472/ *** DSA-3894 graphite2 - security update *** --------------------------------------------- Multiple vulnerabilities have been found in the Graphite font rendering engine which might result in denial of service or the execution of arbitrary code if a malformed font file is processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3894 *** ZDI-17-441: Apple Safari Node Use-After-Free Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-441/ *** DSA-3896 apache2 - security update *** --------------------------------------------- Several vulnerabilities have been found in the Apache HTTPD server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3896 *** Smart burglars will ride the surf of inter-connected hackability *** --------------------------------------------- Let’s invent a dustbin that throws itself away Something for the Weekend, Sir? What the world needs now is an intelligent dustbin. It would be the pinnacle of achievement for the Internet of Things sector. --------------------------------------------- www.theregister.co.uk/2017/06/23/smart_burglars_will_ride_the_surf_of_inter… *** Mutmaßlich russische Hacker stahlen Daten britischer Politiker *** --------------------------------------------- http://derstandard.at/2000059699661 *** Deutsches Sicherheitsamt warnt vor Cyber-Attacken auf Verwaltung *** --------------------------------------------- Ähnlich wie auf US-Demokraten und französische Partei von Präsident Macron --------------------------------------------- http://derstandard.at/2000059699049 *** Node.js: Hälfte der NPM-Pakete durch schwache Passwörter verwundbar *** --------------------------------------------- Der NPM-Dienst hat vor zwei Wochen Passwörter von Entwicklern zurückgezogen. Jetzt ist klar warum: Ein Hacker konnte schwache Passwörter sammeln und hätte damit wohl die Hälfte des .. --------------------------------------------- https://www.golem.de/news/node-js-haelfte-der-npm-pakete-durch-schwache-pas… *** Microsoft weist Vorwürfe von Antivirenhersteller zurück *** --------------------------------------------- Microsoft betont in einem Blogpost die Bedeutung der Zusammenarbeit mit Antivirenherstellern im Rahmen der Microsoft Virus Initiative. Die Veröffentlichung kann als direkte Reaktion auf die Beschwerde von Kaspersky bei Kartellwächtern verstanden werden. --------------------------------------------- https://heise.de/-3754148 *** Video: So kaperten Hacker ein Stromkraftwerk *** --------------------------------------------- 2015 haben Hacker den Strom für über 200.000 Personen in der Ukraine ausfallen lassen. Ein Video zeigt, wie sie die Steuer-PCs übernommen haben. --------------------------------------------- https://futurezone.at/digital-life/video-so-kaperten-hacker-ein-stromkraftw… *** FBI: Extortion, CEO Fraud Among Top Online Fraud Complaints in 2016 *** --------------------------------------------- Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBIs Internet Crime Complaint Center (IC3). The IC3 report released .. --------------------------------------------- https://krebsonsecurity.com/2017/06/fbi-extortion-ceo-fraud-among-top-onlin…

1 0

Tageszusammenfassung - Donnerstag 22-06-2017
by Daily end-of-shift report 22 Jun '17

22 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 21-06-2017 18:00 − Donnerstag 22-06-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Cisco WebEx Network Recording Player Multiple Buffer Overflow Vulnerabilities *** --------------------------------------------- Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) files. An attacker could exploit these vulnerabilities by providing a user with a malicious ARF file via email or URL and convincing the user to launch the file. Exploitation of these vulnerabilities could cause an .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Multiple vulnerabilities in Cisco Prime Infrastructure *** --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Multiple vulnerabilities in Cisco Identity Services *** --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Multiple vulnerabilities in Cisco IOS XR *** --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco Firepower Management Center Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Kritischer Bug in Kompressions-Bibliothek RAR gefährdet AV-Software *** --------------------------------------------- Fehler beim Auspacken von Archiven sind kritisch, weil sie sich besonders einfach ausnutzen lassen – etwa wenn die Antiviren-Software nach Schadcode sucht. Umso bitterer ist es, wenn die sich fünf Jahre nach ihrer Entdeckung noch ausnutzen lassen. --------------------------------------------- https://heise.de/-3751528 *** Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003 *** --------------------------------------------- https://www.drupal.org/SA-CORE-2017-003 *** TeslaWare Plays Russian Roulette with your Files *** --------------------------------------------- I was told about a new ransomware called TeslaWare that is being promoted on a black hat criminal site. After a quick search, I was able to find a sample that was compiled yesterday .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/teslaware-plays-russian-roul… *** Locky Ransomware Returns, but Targets Only Windows XP & Vista *** --------------------------------------------- The Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the campaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS versions, locking .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but… *** NSA-Backed OpenC2.org Aims to Defend Systems at Machine Speed *** --------------------------------------------- Security experts, vendors, business and the NSA are developing a standardized language that rather than autonomously understands threats, acts on them. --------------------------------------------- http://threatpost.com/nsa-backed-openc2-org-aims-to-defend-systems-at-machi… *** Web Application Pentest Guide Part-I *** --------------------------------------------- In this article, we are going to pentest a web application which was developed by HP for scanner evaluation purpose. We will be demonstrating the complete process .. --------------------------------------------- http://resources.infosecinstitute.com/web-application-pentest-guide-part/ *** Windows-Trojaner nutzt NSA-Hintertür um verdeckt Kryptowährungen zu schürfen *** --------------------------------------------- Die DOUBLEPULSAR-Hintertür der NSA wird momentan missbraucht, um ungeschützte Windows-Rechner mit einem Trojaner zu infizieren, der heimlich die Kryptowährung Monero (XMR) schürft. --------------------------------------------- https://heise.de/-3751247 *** [2017-06-22] Multiple vulnerabilities in Cisco Prime Infrastructure *** --------------------------------------------- Multiple security vulnerabilities in Cisco Prime Infrastructure < 3.1.6 could allow local low-privileged user to read arbitrary files such as wireless access point configurations, read the hashed passwords of all the users including the administrator from database and infect other users with JavaScript trojan. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Understanding the true size of “Fireball” *** --------------------------------------------- ... when recent reports of the “Fireball” cybersecurity threat operation were presented as a new discovery, our teams knew .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/22/understanding-the-true-… *** IBM Security Bulletin: Multiple vulnerabilities in EBICS client in IBM Sterling B2B Integrator (CVE-2017-1132, CVE-2017-1347, CVE-2017-1348) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004199 *** IBM Security Bulletin: HTTP verb tampering vulnerability affects IBM Sterling B2B Integrator (CVE-2017-1131) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004270 *** Why So Many Top Hackers Hail from Russia *** --------------------------------------------- Conventional wisdom says one reason so many hackers seem to hail from Russia and parts of the former Soviet Union is that these countries have traditionally placed a much greater emphasis than educational institutions in the West on teaching information .. --------------------------------------------- https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russi… *** DSA-3892 tomcat7 - security update *** --------------------------------------------- Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet andJSP engine, static error pages used the original requests HTTP methodto serve content, instead of systematically using .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3892 *** DSA-3891 tomcat8 - security update *** --------------------------------------------- Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet andJSP engine, static error pages used the original requests HTTP methodto serve content, instead of systematically .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3891

1 0

Tageszusammenfassung - Mittwoch 21-06-2017
by Daily end-of-shift report 21 Jun '17

21 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 20-06-2017 18:00 − Mittwoch 21-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Partnering with the AV ecosystem to protect our Windows 10 customers *** --------------------------------------------- On Friday May 12th, and for several days afterwards, more than a quarter-million computers around the world fell victim to the ransomware known .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/20/partnering-with-the-av-… *** Unwanted “Shorte St” Ads in Unpatched Newspaper Theme *** --------------------------------------------- Unwanted ads are one of the most common problems that site owners ask us to solve. Recently, we’ve noticed quite a few requests to remove intrusive “shorte st” ads that they never installed on their sites themselves. My colleague Denis Sinegubko of UnmaskParasites .. --------------------------------------------- https://blog.sucuri.net/2017/06/unwanted-shorte-st-ads-in-unpatched-newspap… *** Hacker exposed bank loophole to buy luxury cars and a face tattoo *** --------------------------------------------- ♪ Im gonna wait... til the midnight hour, when theres no one else around A UK hacker who stole £100,000 from his bank after spotting a loophole in its systems has been jailed for 16 months. --------------------------------------------- www.theregister.co.uk/2017/06/20/face_tattoo_bank_hacker/ *** More Android apps from dangerous Ztorg family sneak into Google Play *** --------------------------------------------- Almost 100 such apps, with >1 million downloads, found so far (but not by Google). --------------------------------------------- https://arstechnica.com/security/2017/06/more-android-apps-from-dangerous-z… *** Minimalist Alina PoS Variant Starts Using SSL *** --------------------------------------------- More than four years ago, we published a series of blogs discussing in-depth analysis of Alina Point of Sale (PoS) malware. And for the past four years, it is interesting to see .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Minimalist-Alina-PoS-Variant… *** Nach Leak: Studio zahlte "Orange Is the New Black"-Erpresser *** --------------------------------------------- Hacker hatten etwa 50.000 US-Dollar gefordert --------------------------------------------- http://derstandard.at/2000059577414 *** Wannacry: Honda stoppt Autobau wegen Ransomware *** --------------------------------------------- Autowerk im japanischen Sayana setzt vorübergehend Produktion aus --------------------------------------------- http://derstandard.at/2000059583968 *** Decline in Rig Exploit Kit *** --------------------------------------------- Unit 42 investigates recent developments in the EITest & psuedo-Darkleech campaigns contributing to the decline of Rig exploit kits. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/06/unit42-decline-rig-expl…

1 0

Tageszusammenfassung - Dienstag 20-06-2017
by Daily end-of-shift report 20 Jun '17

20 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 19-06-2017 18:00 − Dienstag 20-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Apache HTTPD Bugs Let Remote Users Deny Service and Bypass Authentication in Certain Cases *** --------------------------------------------- Fix Available: Yes Vendor Confirmed: Yes Version(s): 2.2.0 - 2.2.32, 2.4.0 - 2.4.25 Description: Several vulnerabilities were reported in Apache HTTPD. A remote user can cause the target service to crash. A remote user can bypass authentication. --------------------------------------------- http://www.securitytracker.com/id/1038711 *** Bugtraq: [security bulletin] HPESBGN03758 rev.2 - HPE UCMDB, Remote Code Execution *** --------------------------------------------- http://www.securityfocus.com/archive/1/540745 *** McAfee Labs Threats Report Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit *** --------------------------------------------- We got a little carried away in the McAfee Labs Threats Report: June 2017, published today. This quarter's report has expanded to a rather hefty 83 pages! It contains three highly educational topics, in addition to the usual set of threats statistics: We broadly examine evasion techniques and how malware authors use them to accomplish... --------------------------------------------- https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-labs-threats-report-… *** Glibc Stack/Heap Memory Allocation Error Lets Local Users Gain Elevated Privileges *** --------------------------------------------- A local user can supply specially crafted LD_LIBRARY_PATH values to trigger a stack memory allocation flaw in certain cases and execute arbitrary code on the target system with elevated privileges. The stack guard-page memory gap can be "jumped" in cases where heap memory and stack memory are adjacent. --------------------------------------------- http://www.securitytracker.com/id/1038712 *** [2017-06-20] Multiple Reflected Cross Site Scripting (XSS) issues in Ubiquiti Networks products *** --------------------------------------------- Multiple Ubiquiti Networks products with firmware XM v6.0, SW v1.3.3 and AF24 v3.2 are affected by a POST-request based cross site scripting vulnerability. Malicious JavaScript code can be executed in the browser of the user and cookies can be stolen. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** DFN-CERT-2017-1052/">Exim: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- Betroffene Software: Exim <= 4.89 In Exim existiert eine Schwachstelle, weil durch die Mehrfachverwendung von '-p' als Befehlszeilenargument Speicher reserviert werden kann, der nicht wieder freigegeben wird. Ein lokaler, nicht authentisierter Angreifer kann dies nur in Verbindung mit einer anderen Schwachstelle ausnutzen, um beliebigen Programmcode zur Ausführung zu bringen und möglicherweise auch eine Rechteerweiterung auf Root-Privilegien durchzuführen. Debian stellt für die stabile Distribution Stretch und die alte stabile Distribution Jessie jeweils Backport-Sicherheitsupdates bereit. CVE-2017-1000369 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1052/ *** Oracle Security Alert for CVE-2017-3629 *** --------------------------------------------- This Security Alert addresses CVE-2017-3629 and two other vulnerabilities affecting Oracle Solaris. These are local privilege escalation vulnerabilities that may only be exploited over a network with a valid username and password. Together, these vulnerabilities may allow privilege escalation to root. --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-375… *** Vuln: SAP Business Objects DS Open Redirection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/99143 *** Xen Security Advisories *** --------------------------------------------- XSA-216: blkif responses leak backend stack data XSA-217: page transfer may allow PV guest to elevate privilege XSA-218: Races in the grant table unmap code XSA-219: x86: insufficient reference counts during shadow emulation XSA-220: x86: PKRU and BND* leakage between vCPU-s XSA-221: NULL pointer deref in event channel poll XSA-222: stale P2M mappings due to insufficient error checking XSA-223: ARM guest disabling interrupt may crash Xen XSA-224: grant table operations mishandle reference --------------------------------------------- https://lists.xen.org/archives/html/xen-announce/2017-06/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i. *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1022142 --------------------------------------------- *** IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2017-1304) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010230 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ Internet Pass-Thru *** http://www.ibm.com/support/docview.wss?uid=swg22001701 --------------------------------------------- *** IBM Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Security Directory Suite (CVE-2016-0378, CVE-2016-5983 and CVE-2016-5986) *** http://www.ibm.com/support/docview.wss?uid=swg22002049 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 19-06-2017
by Daily end-of-shift report 19 Jun '17

19 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 16-06-2017 18:00 − Montag 19-06-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Bugtraq: ESA-2017-041: EMC VNX1 and VNX2 Family Multiple Vulnerabilities in VNX Control Station *** --------------------------------------------- http://www.securityfocus.com/archive/1/540738 *** VU#768399: HPE SiteScope contains multiple vulnerabilities *** --------------------------------------------- HPEs SiteScope is vulnerable to several cryptographic issues, insufficiently protected credentials, and missing authentication. Description HPEs SiteScope is vulnerable to several vulnerabilities. --------------------------------------------- http://www.kb.cert.org/vuls/id/768399 *** Analysis of the Shadow Brokers release and mitigation with Windows 10 virtualization-based security *** --------------------------------------------- On April 14, a group calling themselves the Shadow Brokers caught the attention of the security community by releasing a set of weaponized exploits. Shortly thereafter, one of these exploits .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-… *** DSA-3884 gnutls28 - security update *** --------------------------------------------- Hubert Kario discovered that GnuTLS, a library implementing the TLS and SSL protocols, does not properly decode a status response TLS extension,allowing a remote attacker to cause an application using the GnuTLS library to crash (denial of service). --------------------------------------------- https://www.debian.org/security/2017/dsa-3884 *** In eigener Sache: Umstellung der Tageszusammenfassungen *** --------------------------------------------- In eigener Sache: Umstellung der Tageszusammenfassungen19. Juni 2017In der Woche vom 3.-7. 7. 2017 werden wir das Format unserer Tageszusammenfassungen anpassen. Inhaltlich bleibt alles wie gewohnt, wir werden aber der besseren Übersichtlichkeit halber den Inhalt in mehrere Sektionen unterteilen. Damit sollte es .. --------------------------------------------- http://www.cert.at/services/blog/20170619121641-2037.html *** D-Link DSL-2640U - Unauthenticated DNS Change *** --------------------------------------------- The vulnerability exist in the web interface, which is accessible without authentication. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with .. --------------------------------------------- https://www.exploit-db.com/exploits/42195/ *** -Link DSL-2640B - Unauthenticated Remote DNS Change *** --------------------------------------------- The vulnerability exist in the web interface, which is accessible without authentication. Once modified, systems use foreign DNS servers, which are usually set up by cybercriminals. Users with .. --------------------------------------------- https://www.exploit-db.com/exploits/42197/ *** IBM Security Bulletin: IBM MQ Trace enablement could cause denial of service (CVE-2017-1117) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22001468 *** IoT Malware Activity Already More Than Doubled 2016 Numbers *** --------------------------------------------- The number of new malware samples in the wild this year targeting connected internet-of-things (IoT) devices has already more than doubled last year’s total. --------------------------------------------- http://threatpost.com/iot-malware-activity-already-more-than-doubled-2016-n…

1 0

Tageszusammenfassung - Freitag 16-06-2017
by Daily end-of-shift report 16 Jun '17

16 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 14-06-2017 18:00 − Freitag 16-06-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a *** Former Major Player Neutrino Exploit Kit Has Gone Dark *** --------------------------------------------- The Neutrino exploit kit, a former leader of the exploit kit market, appears to have shut down, with the last activity recorded at the start of April, well over two months ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/former-major-player-neutrino… *** SAP Security Patch Day - June 2017 *** --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. --------------------------------------------- https://blogs.sap.com/2017/06/13/sap-security-patch-day-june2017/ *** Entschlüsselungstool für Erpressungstrojaner Jaff veröffentlicht *** --------------------------------------------- Ein Sicherheitsforscher von Kaspersky hat eine Schwachstelle im Code der Ransomware Jaff entdeckt. Nun können Betroffene ihre Daten mit einem kostenlosen Tool entschlüsseln. --------------------------------------------- https://heise.de/-3744042 *** New cyber security information service launched today by ENISA *** --------------------------------------------- ENISA launched today its new cyber security information service "Cyber Security Info Notes" with the aim to provide timely key information and recommendations on cyber security topics and incidents. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/new-cyber-security-information-… *** Wikileaks Unveils Cherry Blossom - Wireless Hacking System Used by CIA *** --------------------------------------------- WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a framework - which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices. --------------------------------------------- https://thehackernews.com/2017/06/cia-wireless-router-hacking-tool.html *** Samsung-Domain abgelaufen: Millionen Smartphones waren laut Experten für Hacker offen *** --------------------------------------------- Laut Sicherheitsforscher hätten Hacker Malware einschleusen können - Samsung dementiert --------------------------------------------- http://derstandard.at/2000059348103 *** Developer Creates Rootkit That Hides in PHP Server Modules *** --------------------------------------------- A Dutch web developer has created a rootkit that hides inside a PHP module and can be used to take over web servers via a rarely used attack vector: Apache modules. --------------------------------------------- https://www.bleepingcomputer.com/news/security/developer-creates-rootkit-th… *** Kein Patch für Denial-of-Service-Lücke in Windows Server *** --------------------------------------------- Im Windows Internet Name Service (WINS) von Windows Server klafft eine Denial-of-Service-Lücke, die Microsoft nicht patchen wird - der Aufwand sei zu groß. Wer den Dienst noch nutzt, soll stattdessen auf DNS ausweichen. --------------------------------------------- https://heise.de/-3744148 *** Cyber Security Notification - MicroSCADA Pro SYS600 and CRASHOVERRIDE *** --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A0857&Lang… *** Bugtraq: ESA-2017-043: EMC ESRS Virtual Edition Authentication Bypass Vulnerability *** --------------------------------------------- ESA-2017-043: EMC ESRS Virtual Edition Authentication Bypass Vulnerability --------------------------------------------- http://www.securityfocus.com/archive/1/540721 *** DFN-CERT-2017-1030 ISC BIND: Zwei Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1030/ *** Siemens *** --------------------------------------------- *** Siemens devices using the PROFINET Discovery and Configuration Protocol (Update A) *** https://ics-cert.us-cert.gov/advisories/ICSA-17-129-01A --------------------------------------------- *** Siemens devices using the PROFINET Discovery and Configuration Protocol (Update A) *** https://ics-cert.us-cert.gov/advisories/ICSA-17-129-02A --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010301 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in ntp affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025390 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in curl affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025395 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in libxml2 affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025389 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Flex System Manager (FSM) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1024890 --------------------------------------------- *** IBM Security Bulletin: Vulnerability CVE-2017-7494 in Samba affects IBM i *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1022134 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-7494) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010317 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in IBM Java SDK affects multiple IBM Rational products based on IBM Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg22004599 --------------------------------------------- *** IBM Security Bulletin: IBM MQ and IBM MQ Appliance Open Source zlib is vulnerable to a denial of service (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001520 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 14-06-2017
by Daily end-of-shift report 14 Jun '17

14 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 13-06-2017 18:00 − Mittwoch 14-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Internet hygiene still stinks despite botnet and ransomware flood *** --------------------------------------------- Millions of must-be-firewalled services sitting wide open Network security has improved little over the last 12 months - millions of vulnerable devices are still exposed on the open internet, leaving them defenceless to the next big malware attack. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/06/14/rapid7_devi… *** June 2017 security update release *** --------------------------------------------- Microsoft releases additional updates for older platforms to protect against potential nation-state activity Today, as part of our regular Update Tuesday schedule, we have taken action to provide additional critical security updates to address vulnerabilities that are at heighted risk of exploitation due to past nation-state activity and disclosures. Some of the releases today are... --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/06/13/june-2017-security-upda… *** When Your Plugins Turn Against You *** --------------------------------------------- Every day we face countless cases of sites getting compromised and infected by an attacker. From there, the sites can be used for various operations like spam campaigns, malware spreading or simply to damage your SEO ranking among other events. The threat may not always come from outside though. There are occasions where we are indirectly the ones responsible for the infection and may never find out until we get blacklisted by a search engine, or alerted of malicious code from our users. --------------------------------------------- https://blog.sucuri.net/2017/06/when-your-plugins-turn-against-you.html *** MSRT June 2017: Removing sneaky Xiazai *** --------------------------------------------- In the June release of the Microsoft Software Removal Tool (MSRT), we're adding Xiazai, a widespread family of browser modifiers that we have blocked and removed from millions of computers since 2015. Xiazai is a software bundler that can sneak in additional changes. Xiazai does not install itself or make autostart registry entries, but the... --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/13/msrt-june-2017-removing… *** ZDI-17-396: Trend Micro Maximum Security tmusa Time-Of-Check/Time-Of-Use Privilege Escalation Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to escalate privilege on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/FQzTY0SrpbU/ *** ZDI-17-395: Trend Micro Maximum Security tmusa Kernel Driver Untrusted Pointer Dereference Denial of Service Vulnerability *** --------------------------------------------- This vulnerability allows local attackers to deny service on vulnerable installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/ZDI-Published-Advisories/~3/hoecBsyhda4/ *** Nmap 7.50 released: New NSE scripts, 300+ fingerprints, new Npcap *** --------------------------------------------- Nmap 7.50 is the first big release since last December and has hundreds of improvements. One of the things the developers have worked on recently is the Npcap packet capturing driver and library for Windows. It is a replacement for WinPcap, which is no longer maintained. Npcap uses newer APIs for better performance and compatibility, including Windows 10 support. Developers also added loopback packet capture and injection, raw wireless sniffing, and extra security features ... --------------------------------------------- https://www.helpnetsecurity.com/2017/06/14/nmap-7-50-released/ *** Patchday: Microsoft sichert XP und Vista ab, warnt vor neuem WannaCry *** --------------------------------------------- In einem bisher nicht dagewesenen Schritt hat Microsoft am Patchday Updates für Windows-Versionen ausgeliefert, die nicht mehr unterstützt werden. Die Firma entschloss sich dazu, da sie weitere WannaCry-ähnliche Attacken befürchtet. --------------------------------------------- https://heise.de/-3743004 *** Gefälschte Netflix-Nachricht: Problem with your Membership *** --------------------------------------------- In einer gefälschten Netflix-Nachricht behaupten Kriminelle, dass es Probleme mit den Kreditkartendaten von Kund/innen gäbe. Aus diesem Grund sollen sie auf einer Website ihre Zahlungsmethode erneuern. Kund/inenn, die der Aufforderung nachkommen, übermitteln ihre Bankdaten an Kriminelle und werden Opfer eines Datendiebstahls. --------------------------------------------- https://www.watchlist-internet.at/phishing/gefaelschte-netflix-nachricht-pr… *** Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Obtain Potentially Sensitive Information, and Execute Arbitrary Code and Let Local Users Gain Elevated Privileges *** --------------------------------------------- A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system. A local user can obtain elevated privileges on the target system. A local user can modify files on the target system. A remote user can obtain files on the target system. A remote user can spoof the address bar. Solution: The vendor has issued a fix (ESR 52.2; 54.0). --------------------------------------------- http://www.securitytracker.com/id/1038689 *** Wegen Sicherheitsproblemen: Kein SMB1 in Windows-Neuinstallationen *** --------------------------------------------- Microsoft plant den nächsten Schritt zur Abschaffung des SMB1-Protokolls. Nach den Updates im Herbst soll das über 30 Jahre alte Protokoll in Neuinstallationen von Windows standardmäßig deaktiviert sein. --------------------------------------------- https://heise.de/-3743127 *** Security Advisory - Permission Control Vulnerability in Smart Phones *** --------------------------------------------- Some Huawei Smart phones have a permission control vulnerability. Due to improper authorization on specific processes, an attacker with the root privilege of a mobile Android system can exploit this vulnerability to obtain some information of the user. CVE-2017-8216 --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170614-… *** DDoS-Drohungen *** --------------------------------------------- Seit gestern werden weltweit E-Mails mit einem Erpressungsversuch und einer angedrohten Denial of Service-Attacke verschickt. Diese E-Mails stammen von einer Gruppe, die sich HACKER TEAM - Meridian Collective nennt ... Es kann davon ausgegangen werden, dass - wie in der Vergangenheit - diesen Drohungen keinerlei tatsächliche Angriffe folgen werden. Den Forderungen sollte daher nicht nachgekommen werden. --------------------------------------------- https://www.dfn-cert.de/aktuell/ddos-drohungen.html *** FIRST Releases Framework for Product Security Incident Response Teams *** --------------------------------------------- The leading association of incident response and security teams released a draft of the Product Security Incident Response Teams (PSIRT) Services Framework for public input. This is a formal list of services a PSIRT may consider implementing to address the needs of their constituency. Public input is welcomed until August 31, 2017 via psirt-comments(a)first.org. --------------------------------------------- https://www.first.org/newsroom/releases/20170614 *** HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure *** --------------------------------------------- ... DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea's distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders ... --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA17-164A *** EMC *** --------------------------------------------- *** Vuln: EMC RSA BSAFE Cert-C CVE-2017-4981 Denial of Service Vulnerability *** http://www.securityfocus.com/bid/99044 --------------------------------------------- *** Vuln: EMC Secure Remote Services Virtual Edition CVE-2017-4986 Authentication Bypass Vulnerability *** http://www.securityfocus.com/bid/99036 --------------------------------------------- *** Vuln: EMC VNX1/VNX2 OE for File CVE-2017-4984 Remote Code Execution Vulnerability *** http://www.securityfocus.com/bid/99039 --------------------------------------------- *** Vuln: EMC VNX1/VNX2 OE for File CVE-2017-4985 Local Privilege Escalation Vulnerability *** http://www.securityfocus.com/bid/99037 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Algo One Counterparty Credit Risk (CVE-2016-8745) *** http://www.ibm.com/support/docview.wss?uid=swg22000795 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director. *** http://www.ibm.com/support/docview.wss?uid=isg3T1025202 --------------------------------------------- *** IBM Security Bulletin: Multiple Security Vulnerabilities exist in IBM Cognos Express. *** http://www.ibm.com/support/docview.wss?uid=swg22002268 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 13-06-2017
by Daily end-of-shift report 13 Jun '17

13 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 12-06-2017 18:00 − Dienstag 13-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Security Bulletins posted *** --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-17), Adobe Shockwave Player (APSB17-18), Adobe Captivate (APSB17-19) and Adobe Digital Editions (APSB17-20). Adobe recommends users update their product installations to the latest versions... --------------------------------------------- https://blogs.adobe.com/psirt/?p=1469 *** SAP Security Patch Day - June2017 *** --------------------------------------------- On 13th of June 2017, SAP Security Patch Day saw the release of 18 security notes. Additionally, there were 3 updates to previously released security notes. --------------------------------------------- https://blogs.sap.com/2017/06/13/sap-security-patch-day-june2017/ *** Analyzing Xavier: An Information-Stealing Ad Library on Android *** --------------------------------------------- We have recently discovered a Trojan Android ad library called Xavier that steals and leaks a user's information silently. Xavier's impact has been widespread, with more than 800 applications embedding the ad library's SDK having been downloaded millions of times from Google Play. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Vlm6uUCaCKU/ *** [2017-06-13] Access Restriction Bypass in Atlassian Confluence *** --------------------------------------------- An attacker can manually subscribe to pages of Atlassian Confluence which he is not able to view and he then receive any further comments made on the restricted page. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** FIN7 Hitting Restaurants with Fileless Malware *** --------------------------------------------- A campaign attributed to the FIN7 attackers targets restaurants with phishing emails and infected RTF Word documents that carry out fileless malware attacks. --------------------------------------------- http://threatpost.com/fin7-hitting-restaurants-with-fileless-malware/126213/ *** More Bypassing of Malware Anti-Analysis Techniques *** --------------------------------------------- For last few articles, we have seen how malware employs some anti-analysis techniques and how we can bypass those techniques. Now, let's raise the bar a bit more and look out for more advanced anti-analysis techniques. In this article, we will look at how we can reach the Original Entry Point of a packed Exe ... --------------------------------------------- http://resources.infosecinstitute.com/bypassing-malware-anti-analysis-techn… *** Learning Pentesting with Metasploitable3 - Part 2 *** --------------------------------------------- Introduction: This is the second part in this series of articles on Learning Pentesting with Metasploitable3. We have prepared our lab setup in our previous article. This article shows the Information Gathering techniques that are typically used during Penetration Testing by using Metasploitable3 VM. This phase is crucial during a penetration test as we will ... --------------------------------------------- http://resources.infosecinstitute.com/learning-pentesting-metasploitable3-p… *** Multiple (0day) vulnerabilities in Schneider Electric U.motion Builder *** --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-383/ http://www.zerodayinitiative.com/advisories/ZDI-17-384/ http://www.zerodayinitiative.com/advisories/ZDI-17-385/ http://www.zerodayinitiative.com/advisories/ZDI-17-386/ http://www.zerodayinitiative.com/advisories/ZDI-17-387/ http://www.zerodayinitiative.com/advisories/ZDI-17-388/ http://www.zerodayinitiative.com/advisories/ZDI-17-389/ http://www.zerodayinitiative.com/advisories/ZDI-17-390/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM API Connect is affected by an information disclosure vulnerability (CVE-2017-1379). *** http://www.ibm.com/support/docview.wss?uid=swg22004714 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-2619) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010155 --------------------------------------------- *** IBM Security Bulletin: Weak default password lockout policy in IBM BigFix Compliance Analytics (CVE-2017-1197) *** http://www-01.ibm.com/support/docview.wss?uid=swg22004170 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by security vulnerabilities in OpenStack (CVE-2015-1852 and CVE-2015-7546) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010157 --------------------------------------------- *** IBM Security Bulletin: A Cross-site scripting vulnerability in IBM Websphere Application Server, affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-8934) *** http://www-01.ibm.com/support/docview.wss?uid=swg21996989 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2016-5986) *** http://www.ibm.com/support/docview.wss?uid=swg2C1000200 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 12-06-2017
by Daily end-of-shift report 12 Jun '17

12 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 09-06-2017 18:00 − Montag 12-06-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** Banking trojan executes when targets hover over link in PowerPoint doc *** --------------------------------------------- Criminal hackers have started using a novel malware attack that infects people when their mouse hovers over a link embedded in a malicious PowerPoint file. The method - which was used in a recent spam campaign that attempted to install a bank-fraud backdoor alternately known as Zusy, OTLARD, and Gootkit - is notable because it didn't rely on macros, visual basic scripts, or JavaScript to deliver its payload. --------------------------------------------- https://arstechnica.com/security/2017/06/malicious-powerpoint-files-can-inf… *** RSA Identity Management and Governance Input Validation Flaws Let Remote and Remote Authenticated Users Conduct Cross-Site Scripting Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1038648 *** FIRST announces availability of new Common Vulnerability Scoring System (CVSS) release *** --------------------------------------------- Third version aims to make the system more applicable to modern concerns --------------------------------------------- https://www.first.org/newsroom/releases/20150610 *** [remote] Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution *** --------------------------------------------- https://www.exploit-db.com/exploits/42158/?rss *** DFN-CERT-2017-0993/">libgcrypt: Eine Schwachstelle ermöglicht das Ausspähen von Informationen *** --------------------------------------------- Ein entfernter, nicht authentisierter Angreifer, der den EdDSA-Sitzungsschlüssel während eines Signaturprozesses in einer Seitenkanalattacke abgreifen kann, kann daraus den 'Long Term Secret Key' rekonstruieren und nachfolgend die Sicherheitsvorkehrung der Sitzungsverschlüsselung umgehen, um Informationen aus Sitzungen auszuspähen. Der Hersteller stellt libgcrypt 1.7.7 als Sicherheitsupdate bereit. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0993/ *** Bugtraq: [security bulletin] HPESBUX03759 rev.1 - HP-UX CIFS Sever using Samba, Multiple Remote Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE HP-UX CIFS server using Samba. The vulnerabilities can be exploited remotely to allow authentication bypass, code execution, and unauthorized access. References: CVE-2017-7494 --------------------------------------------- http://www.securityfocus.com/archive/1/540701 *** Bugtraq: [SECURITY] [DSA 3877-1] tor security update *** --------------------------------------------- Package : tor CVE ID : CVE-2017-0376 Debian Bug : 864424 It has been discovered that Tor, a connection-based low-latency anonymous communication system, contain a flaw in the hidden service code when receiving a BEGIN_DIR cell on a hidden service rendezvous circuit. A remote attacker can take advantage of this flaw to cause a hidden service to crash with an assertion failure (TROVE-2017-005). --------------------------------------------- http://www.securityfocus.com/archive/1/540705 *** Bugtraq: [security bulletin] HPESBHF03730 rev.2 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities *** --------------------------------------------- Potential security vulnerabilities have been identified in HPE Aruba ClearPass Policy Manager. The vulnerabilities could be remotely exploited to allow access restriction bypass, arbitrary command execution, cross site scripting (XSS), escalation of privilege and disclosure of information. References: CVE-2017-5824, CVE-2017-5825, CVE-2017-5826, CVE-2017-582, CVE-2017-5828, CVE-2017-5829, CVE-2017-5647 --------------------------------------------- http://www.securityfocus.com/archive/1/540704 *** Security Advisory - Memory Double Free Vulnerability in Touch Panel Driver of Some Huawei Smart Phones *** --------------------------------------------- The Touch Panel (TP) driver of some Huawei smart phones has a memory double free vulnerability. An attacker with the root privilege of the Android system tricks a user into installing a malicious application, and the application can start multiple threads and try to free specific memory, which could triggers double free and causes a system crash or arbitrary code execution. (Vulnerability ID: HWPSIRT-2017-04111) CVE-2017-8141. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-… *** Security Advisory - Multiple Vulnerabilities in UMA Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170612-… *** Linux Muldrop.14: Cryptomining-Malware befällt ungeschützte Raspberry Pi *** --------------------------------------------- Eine neue Malware befällt ausschließlich Raspberry Pi und nutzt die Geräte, um Cryptowährungen zu minen. Nutzer können sich relativ leicht dagegen schützen. (Security, Malware) --------------------------------------------- https://www.golem.de/news/linux-muldrop-14-cryptomining-malware-befaellt-un… *** Vuln: VMware Horizon View Client CVE-2017-4918 Command Injection Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98984 *** DFN-CERT-2017-1012/">Sophos UTM: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- Mehrere Schwachstellen in den Komponenten BIND, Kernel, NTP, OpenSSL und OpenVPN ermöglichen einem entfernten, in vielen Fällen nicht authentisierten Angreifer verschiedene Denial-of-Service (DoS)-Angriffe auf Sophos UTM. Sophos veröffentlicht die Sophos UTM Software in Version 9.501 als Maintenance Release zur Behebung der genannten Schwachstellen. Darüber hinaus werden verschiedene weitere Programmfehler aus den Bereichen AWS, Basesystem, Confd, Email, Network, Reporting, RESTD, Sandboxd, WAF, Web, WebAdmin und WiFi behoben. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1012/ *** Pwn2Own: Safari sandbox part 1 - Mount yourself a root shell *** --------------------------------------------- Today we have CVE-2017-2533 / ZDI-17-357 for you, a race condition in a macOS system service which could be used to escalate privileges from local admin to root. We used it in combination with other logic bugs to escape the Safari sandbox at this year's Pwn2Own competition. --------------------------------------------- https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc *** Industroyer: Fortgeschrittene Malware soll Energieversorgung der Ukraine gekappt haben *** --------------------------------------------- Sicherheitsforscher haben nach eigenen Angaben eine Art zweites Stuxnet entdeckt: Einen Trojaner, der auf die Steuerung von Umspannwerken zugeschnitten ist. Er soll für Angriffe auf den ukrainischen Stromversorger Ukrenergo verantwortlich sein. --------------------------------------------- https://heise.de/-3740606 *** CSIRT maturity evaluation process - How is CSIRT maturity assessed? *** --------------------------------------------- ENISA has published a new practical guide for CSIRTs so that they are better prepared to protect their constituencies and improve teams maturity. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/csirt-maturity-evaluation-proce… *** Vuln: D-Link DIR-615 Wireless N 300 Router CVE-2017-9542 Authentication Bypass Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/98992 *** Healthcare Industry Cybersecurity Report *** --------------------------------------------- New US government report: "Report on Improving Cybersecurity in the Health Care Industry." Its pretty scathing, but nothing in it will surprise regular readers of this blog.Its worth reading the executive summary, and then skimming the recommendations. Recommendations are in six areas.The Task Force identified six high-level imperatives by which to organize its recommendations and action items. The imperatives are:Define and streamline leadership, governance, and expectations for --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/healthcare_indu.html *** Behind the CARBANAK Backdoor *** --------------------------------------------- In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK (aka Anunak). Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution. With these details, we will then draw some conclusions about the operators of CARBANAK. For some additional background on the CARBANAK backdoor, see the papers by Kaspersky and Group-IB and Fox-It. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-bac… *** Erste SambaCry-Angriffe: Trojaner schürft Kryptowährung auf Linux-Servern *** --------------------------------------------- Sicherheitsforscher haben einen Trojaner entdeckt, der durch die vor kurzem entdeckte Samba-Lücke in Linux-Server einbricht und dann mit deren Hardware Kryptogeld erzeugt. --------------------------------------------- https://heise.de/-3740976 *** OSX/MacRansom; analyzing the latest ransomware to target macs *** --------------------------------------------- Looks like somebody on the dark web is offering Ransomware as a Service...that's designed to infect Macs! --------------------------------------------- https://objective-see.com/blog/blog_0x1E.html *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology *** http://www.ibm.com/support/docview.wss?uid=swg22004534 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Insight *** http://www-01.ibm.com/support/docview.wss?uid=swg22003367 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Reporting for Development Intelligence *** http://www-01.ibm.com/support/docview.wss?uid=swg22003366 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Management Module (IMM) for System x & BladeCenter *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integrated Management Module (IMM) for System x & BladeCenter *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Cross-site scripting vulnerabilities affect IBM Rational Quality Manager *** http://www.ibm.com/support/docview.wss?uid=swg22004428 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote authenticated attacker to execute arbitrary commands on the system as administrator (CVE-2016-9984) *** http://www.ibm.com/support/docview.wss?uid=swg21998608 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-5597 CVE-2016-5546 CVE-2016-5548 CVE-2016-5549 CVE-2016-5547 CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg21998779 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-9736, CVE-2016-8934, CVE-2016-8919) *** http://www.ibm.com/support/docview.wss?uid=swg21999544 --------------------------------------------- *** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0636) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010085 --------------------------------------------- *** IBM Security Bulletin: Java Platform Standard Edition Vulnerability in Multiple N Series Products (CVE-2016-0603) *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010086 ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 9-06-2017
by Daily end-of-shift report 09 Jun '17

09 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 08-06-2017 18:00 − Freitag 09-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Is WannaCry Really Ransomware? *** --------------------------------------------- This post summarizes the significant efforts of a McAfee threat research team that has been relentless in its efforts to gain a deeper understanding of the WannaCry ransomware. We would like to specifically acknowledge Christiaan Beek, Lynda .. --------------------------------------------- https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-really-… *** Phishing Leveraging the Sucuri Brand *** --------------------------------------------- We are always on guard for phishing emails and websites that might try to compromise our customers or employees, so that we can be on top of the issue and warn as many people as possible. Targeted .. --------------------------------------------- https://blog.sucuri.net/2017/06/phishing-leveraging-sucuri-brand.html *** Windows 10 Creators Update provides next-gen ransomware protection *** --------------------------------------------- Multiple high-profile incidents have demonstrated that ransomware can have catastrophic effects on all of us. From personally losing access to your own digital property, to being .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-upd… *** Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan *** --------------------------------------------- We found another unique method being used to deliver malware—abusing the action that happens when simply hovering the mouse’s pointer over a hyperlinked picture or text in a PowerPoint .. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/mouseover-otlard… *** Hacker stehlen "Cyberpunk 2077"-Daten und erpressen Hersteller CD Projekt *** --------------------------------------------- "The Wicher 3"-Entwickler gab Diebstahl in einer Stellungnahme bekannt --------------------------------------------- http://derstandard.at/2000059016376 *** In eigener Sache: Umstellung auf wöchentliches Wartungsfenster *** --------------------------------------------- Um die Administration zu erleichtern, werden wir ab 22. 6. 2017 auf ein wöchentliches Wartungsfenster umstellen: dieses wird jeweils am Donnerstag von 19-22h sein. Falls also .. --------------------------------------------- http://www.cert.at/services/blog/20170609114214-2029.html *** Android-Trojaner Dvmap kompromittiert Systeme wie kein anderer *** --------------------------------------------- Sicherheitsforscher warnen vor einem Schädling in Google Play, der Android-Geräte mit bisher unbekannten Methoden komplett in seine Gewalt bringen kann. --------------------------------------------- https://heise.de/-3739451 *** Steirische WK richtet Hotline für Firmen gegen Cyberangriffe ein *** --------------------------------------------- Pilotversuch startet in der Steiermark – Mehr als jedes fünfte Unternehmen bereits Opfer von Angriffen aus dem Netz --------------------------------------------- http://derstandard.at/2000059028695 *** SSA-023589 (Last Update 2017-06-09): SMBv1 Vulnerabilities in Advanced Therapy Products from Siemens Healthineers *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-023589… *** Microsoft: OpenBSD kommt für die Azure-Cloud *** --------------------------------------------- Das Unix-Betriebssystem OpenBSD gilt als besonders sicher und stabil. Microsoft erkennt dessen Potential und macht es für Azure verfügbar. Dazu kooperiert das Unternehmen mit .. --------------------------------------------- https://www.golem.de/news/microsoft-openbsd-kommt-fuer-die-azure-cloud-1706… *** DomainTools 101: DNS Shadow Hack-Attacked *** --------------------------------------------- In this article we will dive into the attack vector known as domain shadowing, and how it can land an .. --------------------------------------------- https://blog.domaintools.com/2017/06/domaintools-101-dns-shadow-hack-attack…

1 0

Tageszusammenfassung - Donnerstag 8-06-2017
by Daily end-of-shift report 08 Jun '17

08 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 07-06-2017 18:00 − Donnerstag 08-06-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz *** Deceptive Advertisements: What they do and where they come from *** --------------------------------------------- About a week ago, a reader asked for help with a nasty typo squatting incident: The site, yotube.com, at the time redirected to fake tech support sites. These sites typically pop up a message alerting the user of a made-up problem and offer a phone number for tech support. Investigating the site, I found ads, all of which can be characterized as deceptive. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22494 *** SSTIC 2017 Wrap-Up Day #1 *** --------------------------------------------- I’m in Rennes, France to attend my very first edition of the SSTIC conference. SSTIC is an event organised in France, by and for French people. The acronym means “Symposium sur la sécurité des technologies de l’information et des communications“. The event has a good reputation about its content but is also known to have a very strong policy to sell tickets. --------------------------------------------- https://blog.rootshell.be/2017/06/08/sstic-2017-wrap-day-1/ *** Summer STEM for Kids *** --------------------------------------------- Its summertime and your little hackers need something to keep them busy! Let look at some of the options for kids to try out. Ive tried out each of these programs and have had good luck with them. Please post in comments any site you have been successful with your kids in teaching them STEM or IT Security. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22496 *** Sicherheitsupdates: VMware vSphere Data Protection angreifbar *** --------------------------------------------- In einer Komponente von vSphere klaffen zwei als kritisch eingestufte Lücken, über die Angreifer beliebige Befehle ausführen und Log-in-Daten abziehen können. --------------------------------------------- https://heise.de/-3737673 *** Foscam: IoT-Hersteller ignoriert Sicherheitslücken monatelang *** --------------------------------------------- Die IoT-Apokalypse hört nicht auf: Erneut wurden zahlreiche Schwachstellen in einer IP-Kamera dokumentiert. Der Hersteller reagiert mehrere Monate lang nicht auf die Warnungen. --------------------------------------------- https://www.golem.de/news/foscam-iot-hersteller-ignoriert-sicherheitsluecke… *** A new Linux Malware targets Raspberry Pi devices to mine Cryptocurrency *** --------------------------------------------- Security researchers at Dr. Web discovered two new Linux Malware, one of them mines for cryptocurrency using Raspberry Pi Devices. Malware researchers at the Russian antivirus maker Dr.Web have discovered a new Linux trojan, tracked as Kinux.MulDrop.14, that is infecting Raspberry Pi devices with the purpose of mining cryptocurrency. --------------------------------------------- http://securityaffairs.co/wordpress/59842/malware/linux-malware-raspberry-p… *** The Reigning King of IP Camera Botnets and its Challengers *** --------------------------------------------- Early this month we discussed a new Internet of Things (IoT) botnet called Persirai (detected by Trend Micro as ELF_PERSIRAI.A), which targets over 1000 Internet Protocol (IP) camera models. Currently, through Shodan and our own research, we see that 64% of tracked IP cameras with custom http servers are infected with Persirai. But, because these cameras are such common targets, there is some competition between malware. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/XMVX_tvNlNw/ *** Versehentlich aktiviertes Debugging-Tool gefährdet Cisco Data Center Network Manager *** --------------------------------------------- Sicherheitsupdates schließen zum Teil als kritisch eingestufte Lücken in Cisco AnyConnect, DCNM und TelePresence. --------------------------------------------- https://heise.de/-3737633 *** Cisco Prime Data Center Network Manager Debug Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the role-based access control (RBAC) functionality of Cisco Prime Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to access sensitive information or execute arbitrary code with root privileges on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco Context Service SDK Arbitrary Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the update process for the dynamic JAR file of the Cisco Context Service software development kit (SDK) could allow an unauthenticated, remote attacker to execute arbitrary code on the affected device with the privileges of the web server.The vulnerability is due to insufficient validation of the update JAR files signature. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…

1 0

Tageszusammenfassung - Mittwoch 7-06-2017
by Daily end-of-shift report 07 Jun '17

07 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 06-06-2017 18:00 − Mittwoch 07-06-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz *** Rockwell Automation PanelView Plus 6 700-1500 *** --------------------------------------------- This advisory contains mitigation details for a missing authorization vulnerability in Rockwell Automation's PanelView Plus 6 700-1500. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-157-01 *** Digital Canal Structural Wind Analysis *** --------------------------------------------- This advisory contains mitigation details for a stack-based buffer overflow vulnerability in Digital Canal Structural's Wind Analysis. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02 *** Curiosity Kills Security When it Comes to Phishing *** --------------------------------------------- The results of an academic experiment reveal that recipients of Facebook messages are much more likely to click on suspicious links. --------------------------------------------- http://threatpost.com/curiosity-kills-security-when-it-comes-to-phishing/12… *** Privileges and Credentials: Phished at the Request of Counsel *** --------------------------------------------- Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-… *** Russische Hacker erteilen Befehle über Britney Spears Instagram *** --------------------------------------------- Adresse von Kontrollserver wurde in Nutzerkommentar zu Foto des Popstars versteckt. --------------------------------------------- http://derstandard.at/2000058853606 *** VMware-Admins aufgepasst: Es gibt wichtige Updates für ESXi *** --------------------------------------------- Wer Version 6.0 des ESXi-Hypervisors von VMware einsetzt, sollte Zeit zum Patchen einplanen. Einige Bugs und Sicherheitslücken wollen ausgebügelt werden. --------------------------------------------- https://heise.de/-3736872 *** [2017-06-07] Various WiMAX CPEs Authentication Bypass *** --------------------------------------------- Various WiMAX routers by GreenPacket, Huawei, MADA, MitraStar, ZTE and ZyXEL are affected by an authentication bypass vulnerability that allows an attacker to take over the web interface. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Ghosts from the past: Authentication bypass and OEM backdoors in WiMAX routers *** --------------------------------------------- SEC Consult has found a vulnerability in several WiMAX routers, distributed by WiMAX ISPs to subscribers. The vulnerability allows an attacker to change the password of the admin user. --------------------------------------------- http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.… *** PLATINUM continues to evolve, find ways to maintain invisibility *** --------------------------------------------- Back in April 2016, we released the paper PLATINUM: Targeted attacks in South and Southeast Asia, where we detailed the tactics, techniques, and procedures of the PLATINUM activity group. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-e… *** VMSA-2017-0010 *** --------------------------------------------- vSphere Data Protection (VDP) updates address multiple security issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0010.html

1 0

Tageszusammenfassung - Dienstag 6-06-2017
by Daily end-of-shift report 06 Jun '17

06 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 02-06-2017 18:00 − Dienstag 06-06-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Hack Brief: Dangerous ‘Fireball’ Adware Infects a Quarter Billion PCs *** --------------------------------------------- A widespread adware infection hides the ability to inflict far worse than spammy browser tweaks. --------------------------------------------- https://www.wired.com/2017/06/hack-brief-dangerous-fireball-adware-infects-… *** FakeGlobe and Cerber Ransomware: Sneaking under the radar while WeCry *** --------------------------------------------- Recently, we observed a constant influx of spam that distributes two ransomware families, perhaps trying to sneak in while everyone is focused with the recent WannaCry malware. Based on data .. --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/FakeGlobe-and-Cerber-Ransomw… *** Wie Hacker mit ihren Smartphones beim Glücksspiel betrügen *** --------------------------------------------- Russische Mafia konnte Automaten durch Reverse Engineering durchschauen und per Vibrationsalarm richtigen Moment zum Drücken festlegen --------------------------------------------- http://derstandard.at/2000052237768 *** DSA-3873 perl - security update *** --------------------------------------------- The cPanel Security Team reported a time of check to time of use(TOCTTOU) race condition flaw in File::Path, a core module from Perl to create or remove directory trees. An attacker can take .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3873 *** 53 Percent of Enterprise Flash Installs are Outdated *** --------------------------------------------- More than half of enterprises are exposing themselves to unnecessary risk by running out-of-date versions of Flash. --------------------------------------------- http://threatpost.com/53-percent-of-enterprise-flash-installs-are-outdated/… *** 40,000 Subdomains Tied to RIG Exploit Kit Shut Down *** --------------------------------------------- GoDaddy, along with researchers from RSA Security and other companies, shut down tens of thousands of illegal established subdomains tied to the RIG Exploit Kit. --------------------------------------------- http://threatpost.com/40000-subdomains-tied-to-rig-exploit-kit-shut-down/12… *** Passwortmanager: Kundendaten von Onelogin gehackt *** --------------------------------------------- Ein Passwortmanager soll Nutzern helfen, sichere Passwörter zu generieren und sicher zu speichern. Bei dem Betreiber Onelogin wurden jedoch zahlreiche Informationen von Nutzern durch .. --------------------------------------------- https://www.golem.de/news/passwortmanger-kundendaten-von-onelogin-gehackt-1… *** Security Advisory 2017-03: Security Update for all OTRS Versions *** --------------------------------------------- https://www.otrs.com/security-advisory-2017-03-security-update-otrs-version… *** Security Advisory 2017-02: Security Update for all OTRS Versions *** --------------------------------------------- https://www.otrs.com/security-advisory-2017-02-security-update-otrs-version… *** Erpressungstrojaner WannaCry: Mängel im Code steigern Chancen für Opfer *** --------------------------------------------- Sicherheitsforscher haben sich den Code der Ransomware angeschaut und diverse Schnitzer gefunden. Mit etwas Glück können Opfer wieder Zugriff auf ihre Dateien bekommen. --------------------------------------------- https://heise.de/-3734698 *** Patchday: Fehlerbereinigte Android-Versionen für Nexus, Pixel & Co. veröffentlicht *** --------------------------------------------- Google hat mehrere Sicherheitslücken in Android gestopft – darunter auch kritische. Wer ein Google-Gerät besitzt, sollte es zügig aktualisieren. Auch Besitzer von Geräten anderer Hersteller sollten prüfen, ob es eine Aktualisierung gibt. --------------------------------------------- https://heise.de/-3735188

1 0

Tageszusammenfassung - Freitag 2-06-2017
by Daily end-of-shift report 02 Jun '17

02 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 01-06-2017 18:00 − Freitag 02-06-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller *** --------------------------------------------- This advisory contains mitigation details for a use of hard-coded password vulnerability in the Phoenix Broadband Technologies LLC PowerAgent SC3 Site Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-152-01 *** Passwords at the Border *** --------------------------------------------- The password-manager 1Password has just implemented a travel mode that tries to protect users while crossing borders. It doesnt make much sense. To enable it, you have to create a list of passwords you feel safe traveling with, and then you can turn on the mode .. --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/passwords_at_th.html *** Financial malware more than twice as prevalent as ransomware *** --------------------------------------------- Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate .. --------------------------------------------- https://www.symantec.com/connect/blogs/financial-malware-more-twice-prevale… *** CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB *** --------------------------------------------- After taking last week off, WikiLeaks came back today and released documentation on another .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cia-malware-can-switch-clean… *** DSA-3872 nss - security update *** --------------------------------------------- Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or information disclosure. --------------------------------------------- https://www.debian.org/security/2017/dsa-3872 *** DSA-3871 zookeeper - security update *** --------------------------------------------- It was discovered that Zookeeper, a service for maintaining configuration information, didn't restrict access to the computationally expensive wchp/wchc commands which could result in denial of service by elevated CPU consumption. --------------------------------------------- https://www.debian.org/security/2017/dsa-3871 *** Riverbed SteelHead VCX 9.6.0a Arbitrary File Read *** --------------------------------------------- https://cxsecurity.com/issue/WLB-2017060017 *** Weak DevOps cryptographic policies increase financial services cyber risk *** --------------------------------------------- Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications. This is a particular issue for financial services organizations, which have .. --------------------------------------------- https://www.helpnetsecurity.com/2017/06/02/weak-devops-cryptographic-polici… *** Phishing Campaigns Follow Trends *** --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22482 *** WannaCry and Vulnerabilities *** --------------------------------------------- There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which .. --------------------------------------------- https://www.schneier.com/blog/archives/2017/06/wannacry_and_vu.html *** Hadoop Servers Expose Over 5 Petabytes of Data *** --------------------------------------------- Improperly configured HDFS-based servers, mostly Hadoop installs, are exposing over five petabytes of information, according to John Matherly, founder of Shodan, a .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hadoop-servers-expose-over-5… *** IBM Security Bulletin: Vulnerability in Samba affects IBM Netezza Host Management *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003112 *** Check-Point-Bericht: Gefährliche Backdoor in jedem zehnten deutschen Unternehmensnetz *** --------------------------------------------- Die Fireball getaufte Adware ist mit über 250 Millionen Installationen nicht nur sehr verbreitet, sondern auch sehr gefährlich: Laut Check Point kann sie beliebigen Code auf dem System ausführen und so auch Malware nachladen. --------------------------------------------- https://heise.de/-3732893

1 0

Tageszusammenfassung - Donnerstag 1-06-2017
by Daily end-of-shift report 01 Jun '17

01 Jun '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 31-05-2017 18:00 − Donnerstag 01-06-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Aufgepasst: Googles AMP wird zur Tarnung von Phishing-Angriffen missbraucht *** --------------------------------------------- Russische Hacker benutzen Googles AMP-Dienst, um böse URLs als Google-Dienste zu tarnen. Es ist nur eine Frage der Zeit, bis das Schule macht. --------------------------------------------- https://heise.de/-3731578 *** Cisco, Netgear Readying Patches for Samba Vulnerability *** --------------------------------------------- Cisco is prepping fixes for two of its products affected by last weeks Samba vulnerability. Netgear has also pushed out a fix for NAS devices that were affected. --------------------------------------------- http://threatpost.com/cisco-netgear-readying-patches-for-samba-vulnerabilit… *** Sharing Private Data with Webcast Invitations, (Thu, Jun 1st) *** --------------------------------------------- Last week, at a customer, we received a forwarded emailin a shared mailbox. It was somebody from another department that shared an invitation for a webcast that could be interesting for you, guys!. This time, no phishing attempt, no malware, just a regular email sent from a well-known security vendor. A colleague was interested in the webcast and clicked on the registration link. He was redirected to a page and was surprised to see all the fields already prefilled with the personal details of [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22478&rss *** Motorcycle Gang Busted For Hacking and Stealing Over 150 Jeep Wranglers *** --------------------------------------------- An anonymous reader writes: "The FBI has arrested members of a motorcycle gang accused to have hacked and stolen over 150 Jeep Wranglers from Southern California, which they later crossed the border into Mexico to have stripped down for parts," reports Bleeping Computer. What stands apart is how the gang operated. This involved gang members getting the Jeep Wrangler VIN (Vehicle Identification Number), accessing a proprietary Jeep database, and getting two codes needed to create a [...] --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/xYKBhycly0Q/motorcycle-gang… *** An Elegant Way to Ruin Your Company's Day - Introduction to Public AWS EBS Snapshots *** --------------------------------------------- TL;DR Creating public (unencrypted) EBS Snapshots might not be a great idea. Even if you are going to share them "just for a second". A lot can be fished out of these snapshots: ssh keys, tls/ssl certificates, aws credentials, private source code and internal (extremely) valuable HR/Accounting/IT documents. --------------------------------------------- https://www.nvteh.com/news/problems-with-public-ebs-snapshots *** Credit Card Breach at Kmart Stores. Again. *** --------------------------------------------- For the second time in less than three years, Kmart Stores is battling a malware-based security breach of its store credit card processing systems. Last week I began hearing from smaller banks and credit unions who said they strongly suspected another card breach at Kmart. Some of those institutions received alerts from the credit card companies about batches of stolen cards that all had one thing in comment: They were all used at Kmart locations. Ask to respond to rumors about a card breach, [...] --------------------------------------------- https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-agai… *** NCSC releases factsheet Indicators of Compromise *** --------------------------------------------- In order to observe malicious digital activities within an organisation, Indicators of Compromise (IoCs) are a valuable asset. With IoCs, organisations can gain quick insights at central points in the network into malicious digital activities. When your organisation observes these activities, it is important to know what you can do to trace back which system is infected. Obtain as much contextual information with an IoC as possible, so that you get a clear picture of what is happening and how --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-releases-factsheet-ind… *** WannaCry Development Errors Enable File Recovery *** --------------------------------------------- Researchers at Kaspersky Lab have found a number of programming errors in the WannaCry ransomware code that put file recovery within reach of sysadmins. --------------------------------------------- http://threatpost.com/wannacry-development-errors-enable-file-recovery/1260… *** OneLogin suffers data breach, again *** --------------------------------------------- OneLogin, a popular single sign-on service that allows users to access thousands of popular cloud-based apps with just one password, has suffered what seems to be a serious data breach. According to a short blog post by the company's Chief Information Security Officer Alvaro Hoyos, they discovered the breach when, on Wednesday, they detected unauthorized access to OneLogin data in their US data region. --------------------------------------------- https://www.helpnetsecurity.com/2017/06/01/onelogin-data-breach/ *** [webapps] OV3 Online Administration 3.0 - Remote Code Execution *** --------------------------------------------- OV3 Online Administration 3.0 - Remote Code Execution --------------------------------------------- https://www.exploit-db.com/exploits/42096/?rss *** Indicators Associated With WannaCry Ransomware (Update H) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01G Indicators Associated With WannaCry Ransomware that was published May 30, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01H *** Security Advisory - Multiple Security Vulnerabilities in HedEx product *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… *** DFN-CERT-2017-0945: Red Hat CloudForms Management Engine: Zwei Schwachstellen ermöglichen u.a. das Ausspähen von Informationen *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0945/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier (CVE-2016-9977) *** http://www.ibm.com/support/docview.wss?uid=swg22003981 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in expat, nss, bind , policycoreutils, sudo shipped with SmartCloud Entry Appliance *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025119 --------------------------------------------- *** IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2016-6816, CVE-2016-6817, CVE-2016-8735 ) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009962 --------------------------------------------- *** IBM Security Bulletin: IBM Spectrum Protect (formerly Tivoli Storage Manager) Windows Client password exposure (CVE-2016-8939) *** http://www.ibm.com/support/docview.wss?uid=swg22003738 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003673 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004078 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Storage FlashCopy Manager VMware (CVE-2016-6303, CVE-2016-2182, CVE-2016-2177, CVE-2016-2183, CVE-2016-6309, CVE-2016-7052, CVE-2016-2178, CVE-2016-6306) *** http://www.ibm.com/support/docview.wss?uid=swg22000589 --------------------------------------------- *** IBM Security Bulletin: A vulnerability in the GSKit library affects IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004075 --------------------------------------------- *** IBM Security Bulletin: Multiple Security vulnerabilities in WebSphere Application Server Community Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg22002267 --------------------------------------------- *** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010243 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004074 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Metrics Manager *** http://www-01.ibm.com/support/docview.wss?uid=swg22004077 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows *** http://www-01.ibm.com/support/docview.wss?uid=swg22002135 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM RackSwitch Products *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset Analyzer *** http://www-01.ibm.com/support/docview.wss?uid=swg22003418 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2017-3731, CVE-2016-7055) *** http://www.ibm.com/support/docview.wss?uid=swg22003793 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libX11 affect IBM BladeCenter Advanced Management Module (AMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerability in libxml2 affects IBM BladeCenter Advanced Management Module (AMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL/libcurl affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affects MegaRAID Storage Manager (CVE-2016-8610) *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in dosfstools affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter systems *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: IBM Development Package for Apache Spark update of IBM SDK Java Technology Edition *** http://www-01.ibm.com/support/docview.wss?uid=swg22003200 --------------------------------------------- *** IBM Security Bulletin: IBM Cognos Business Intelligence Server 2017Q2 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. *** http://www.ibm.com/support/docview.wss?uid=swg22004036 ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 31-05-2017
by Daily end-of-shift report 31 May '17

31 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 30-05-2017 18:00 − Mittwoch 31-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Personal Security Guide - WiFi Network *** --------------------------------------------- This is the third part in our series on personal security that offers methods to strengthen your overall security posture. By taking a holistic approach to security, you are protecting your website against attack vectors due to poor security practices in various aspects of your digital life. This post shares some insight on how to secure your network. When we talk about a network, we mean the way you connect to the internet. --------------------------------------------- https://blog.sucuri.net/2017/05/personal-security-guide-network-connection.… *** Kritische Infrastruktur: Meldepflicht für IT-Vorfälle deutlich erweitert *** --------------------------------------------- Die Meldepflicht für IT-Sicherheitsvorfälle ist auf weitere Branchen ausgedehnt worden. Damit steigt die Gesamtzahl auf mehr als 1.600 Einrichtungen in ganz Deutschland. --------------------------------------------- https://www.golem.de/news/kritische-infrastruktur-meldepflicht-fuer-it-vorf… *** HospitalGown: Appthority Discovers Backend Exposure of 43TB of Enterprise Data *** --------------------------------------------- [...] It's understandable that in mobile security we focus on the device, the apps it runs, and the networks it connects to. But what happens to the data from there? Cloud computing and storage are ubiquitous, advertising networks are the default revenue model for many apps, and analytics frameworks are driving design and implementation decisions. We can't ignore where the data goes. Like any other component of the larger system, these backend servers can introduce additional risk, [...] --------------------------------------------- https://www.appthority.com/mobile-threat-center/blog/hospitalgown-appthorit… http://info.appthority.com/hubfs/website-LEARN-content/Appthority%20Q2-17%2… *** XData Ransomware Master Decryption Keys Released. Kaspersky Releases Decryptor. *** --------------------------------------------- In what has become a welcome trend, today another ransomware master decryption key was released on BleepingComputer.com. This time the key that was released is for the XData Ransomware that was targeting the Ukraine around May 19th 2017. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/xdata-ransomware-master-decr… *** Indicators Associated With WannaCry Ransomware (Update G) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01F Indicators Associated With WannaCry Ransomware that was published May 25, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01G *** WannaCry: Two Weeks and 16 Million Averted Ransoms Later *** --------------------------------------------- [...] What WannaCry does has been extensively documented by others, as seen in reports by BAE Systems, MalwareBytes, Endgame, and Talos. Rather than focusing on the technical functionality of the malware, this article will open a window into our recent experience with managing, mitigating, and tracking the propagation and evolution of the WannaCry outbreak, and the true extent of its reach. --------------------------------------------- https://blog.kryptoslogic.com/malware/2017/05/29/two-weeks-later.html *** Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2), (Wed, May 31st) *** --------------------------------------------- Introduction In my previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22470&rss *** [webapps] Trend Micro Deep Security version 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution *** --------------------------------------------- https://www.exploit-db.com/exploits/42089/?rss *** Vulnerability in Samba Affecting Cisco Products: May 2017 *** --------------------------------------------- On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated attacker to execute arbitrary code remotely on a targeted system.This vulnerability has been assigned CVE ID CVE-2017-7494This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/… On May 24, 2017, the Samba team disclosed a vulnerability in Samba server software that could allow an authenticated [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Huawei Security Advisories *** --------------------------------------------- *** Security Advisory - Command Injection Vulnerability in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Command Injection Vulnerability in the NetEco *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Buffer Overflow Vulnerability in The GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Four Command Injection Vulnerabilities in The FusionSphere OpenStack *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Authentication Bypass Vulnerability in the Backup Function of GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Two Buffer Overflow Vulnerabilities in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** Security Advisory - Two Privilege Escalation Vulnerabilities in the GaussDB *** http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170531-… --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in tcpdump affect AIX *** http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager appliances *** http://www.ibm.com/support/docview.wss?uid=swg22003237 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Sterling Connect:Direct FTP+ *** http://www-01.ibm.com/support/docview.wss?uid=swg22003752 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java affect IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments. *** http://www.ibm.com/support/docview.wss?uid=swg22004048 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affects IBM BigFix Compliance Analytics. *** http://www-01.ibm.com/support/docview.wss?uid=swg22002991 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web *** http://www.ibm.com/support/docview.wss?uid=swg22003236 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect Tivoli Storage Manager (IBM Spectrum Protect) for Virtual Environments: Data Protection for VMware and FlashCopy Manager (IBM Spectrum Protect Snapshot) for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22000212 --------------------------------------------- *** IBM Security Bulletin: IBM Security Access Manager appliances may be affected by a kernel vulnerability known as the Dirty COW bug (CVE-2016-5195) *** http://www.ibm.com/support/docview.wss?uid=swg21997991 --------------------------------------------- *** IBM Security Bulletin: MQ Explorer directory created with owner '555' on Linux x86-64 vulnerability affects IBM MQ (CVE-2016-6089) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003509 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003620 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Client and IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware *** http://www.ibm.com/support/docview.wss?uid=swg22003480 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 30-05-2017
by Daily end-of-shift report 30 May '17

30 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 29-05-2017 18:00 − Dienstag 30-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Chrome Bug Allows Sites to Record Audio and Video Without a Visual Indicator *** --------------------------------------------- Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-bug-allows-sites-to-r… *** 5 incident response practices that keep enterprises from adapting to new threats *** --------------------------------------------- Security analysts within enterprises are living a nightmare that never ends. 24 hours a day, their organizations are being attacked by outside (and sometimes inside) perpetrators - hackers, hacktivists, competitors, disgruntled employees, etc. Attacks range in scope and sophistication, but are always there, haunting the security teams tasked with guarding against them. To cope with this never-ending, ever-changing slew of threats, most organizations rely on established best practices to [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/30/incident-response-practices/ *** Darauf sollen Unternehmer bei der IT-Sicherheit achten *** --------------------------------------------- Nahezu jeden Tag werden Cyberangriffe auf Unternehmen publik. Der Schaden ist oft erheblich. Wer ein paar einfache Tipps beachtet, kann das Risiko deutlich reduzieren. --------------------------------------------- https://futurezone.at/b2b/darauf-sollen-unternehmer-bei-der-it-sicherheit-a… *** Erpressungstrojaner Jaff: Vorsicht vor Mails mit PDF-Anhang *** --------------------------------------------- Derzeit landen vermehrt E-Mails mit einem manipulierten PDF-Dokument in Posteingängen. Wer das Dokument unter Windows öffnet, kann sich die Ransomware Jaff einfangen. Diese verschlüsselt Daten und versieht sie mit der Dateiendung .wlc. --------------------------------------------- https://heise.de/-3728073 *** FreeRADIUS: Anmelde-Server dank Sicherheitslücke viel zu gutgläubig *** --------------------------------------------- Bei der Wiederaufnahme von TLS-Verbindungen überprüft der Anmelde-Server FreeRADIUS unter Umständen nicht, ob der Nutzer sich jemals richtig angemeldet hat. Für eine Software, die Anmeldungen prüfen soll, ist das fatal. --------------------------------------------- https://heise.de/-3728535 *** SANS Securing the Human Security Awareness Report 2017 *** --------------------------------------------- [...] The report highlights what successful programs do right to change behavior and what lagging programs can do to improve and move beyond compliance. --------------------------------------------- https://securingthehuman.sans.org/resources/security-awareness-report-2017 https://securingthehuman.sans.org/media/resources/STH-SecurityAwarenessRepo… *** The Most Common Social Engineering Attacks *** --------------------------------------------- Many years ago, one of the world's most popular hacker Kevin Mitnick explained in his book "The Art of Deception" the power of social engineering techniques, today we are aware that social engineering can be combined with hacking to power insidious attacks. Let's consider for example social media and mobile platforms; they are considered powerful attack [...] --------------------------------------------- http://resources.infosecinstitute.com/common-social-engineering-attacks/ *** Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution *** --------------------------------------------- The version of Serviio installed on the remote Windows/Linux host is affected by an unauthenticated password modification vulnerability due to improper access control enforcement of the Configuration REST API. A remote attacker can exploit this, via a specially crafted request, to change the login password for the mediabrowser protected page. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php *** IBM Security Bulletin: Security vulnerabilities in IBM Java Runtime affect IBM RLKS Administration and Reporting Tool Admin *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001029 *** IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Standards Processing Engine and IBM Transformation Extender Advanced (CVE-2016-5597) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003602

1 0

Tageszusammenfassung - Montag 29-05-2017
by Daily end-of-shift report 29 May '17

29 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 26-05-2017 18:00 − Montag 29-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw *** --------------------------------------------- Microsoft quietly patched a critical vulnerability found by Googles Project Zero team in the Malware Protection Engine. --------------------------------------------- http://threatpost.com/microsoft-quietly-patches-another-critical-malware-pr… *** Crysis ransomware master keys posted to Pastebin *** --------------------------------------------- Why would someone release the keys to victims? Who knows, but as the poster who uploaded them says, Enjoy! --------------------------------------------- https://nakedsecurity.sophos.com/2017/05/26/crysis-ransomware-master-keys-p… *** File2pcap - A new tool for your toolkit!, (Fri, May 26th) *** --------------------------------------------- One of our readers, Gebhard, submitted a pointer to a tool today, released byTalos, that I wasnt familiar with. However, when I realized it could generate packets, I had to try it out. Its called File2pcap. The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see. You get a nice pcap in the end. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22456&rss *** CyberChef a Must Have Tool in your Tool bag!, (Sun, May 28th) *** --------------------------------------------- This multipurpose and feature rich tool has been available for a while now and is updated regularly. What I find the most interesting is the number of features that are available this tool. CyberChef is fully portable and can be downloaded locally as an simple HTML self-contained page that can run in any browsers or if you prefer, you can download the package from Github and compile it yourself[2] but why bother. Since the code is updated regularly, I find the first option more practical. It [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22458&rss *** Analysis of Competing Hypotheses (ACH part 1), (Sun, May 28th) *** --------------------------------------------- In threat intelligence, by definition, an analyst will most of the times have to perform assessments in an environment of incomplete information, and/or with information that is being produced with the purpose of misleading the analyst. One of the well-known methodologies is the Analysis of Competing Hypotheses (ACH) [1], developed by Richards J. Heuer, Jr., a former CIA veteran. ACH is an analytic process that identifies a set of alternative hypotheses, and assesses whether data available are [...] --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22460&rss *** Guidance on Disabling System Services on Windows Server 2016 with Desktop Experience *** --------------------------------------------- [Primary authors: Dan Simon and Nir Ben Zvi] The Windows operating system includes many system services that provide important functionality. Different services have different default startup policies: some are started by default (automatic), some when needed (manual) and some are disabled by default and must be explicitly enabled before they can run. These defaults were... --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2017/05/29/guidance-on-disabli… *** Network Time Protocol updated to spook-harden user comms *** --------------------------------------------- Network time lords decide we dont need IP address swaps The Internet Engineering Task Force has taken another small step in protecting everybodys privacy - this time, in making the Network Time Protocol a bit less spaffy. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/29/network_tim… *** CFP Time *** --------------------------------------------- We decided to create a website for a clearer view of what conferences are happening all around the world. The project is still in beta and after seeing how the community takes it, we might take it one step further. --------------------------------------------- https://cfptime.org/cfps/about *** Dirty COW and why lying is bad even if you are the Linux kernel *** --------------------------------------------- [...] There have been plenty of articles and blog posts about the exploit, but none of them give a satisfactory explanation on exactly how Dirty COW works under the hood from the kernel's perspective. The following analysis is based on this attack POC, although the idea applies to all other similar attacks. --------------------------------------------- https://chao-tic.github.io/blog/2017/05/24/dirty-cow *** DFN-CERT-2017-0928: Microsoft Malware Protection Engine: Mehrere Schwachstellen ermöglichen u.a. die komplette Systemübernahme *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0928/ *** DFN-CERT-2017-0913: WebKitGTK+: Mehrere Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und einen Cross-Site-Scripting-Angriff *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0913/ https://webkitgtk.org/security/WSA-2017-0004.html *** DFN-CERT-2017-0925: FortiOS: Mehrere Schwachstellen ermöglichen u.a. das Erlangen von Administratorrechten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0925/ *** Security Advisory - Multiple Vulnerabilities in MTK Platform *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170527-… *** Bugtraq: Wordpress Plugin Social-Stream - Exposure of Twitter API Secret Key and Token *** --------------------------------------------- http://www.securityfocus.com/archive/1/540636 *** Bugtraq: [security bulletin] HPESBHF03730 rev.1 - HPE Aruba ClearPass Policy Manager, Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/archive/1/540635 *** Bugtraq: [security bulletin] HPESBHF03754 rev.1 - HPE ML10 Gen 9 Server using Intel Xeon E3-1200 v5 Processor, Remote Access Restriction Bypass *** --------------------------------------------- http://www.securityfocus.com/archive/1/540634 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: IBM PowerVC is affected by vulnerability in OpenStack Nova (CVE-2017-7214) *** http://www-01.ibm.com/support/docview.wss?uid=nas8N1022011 --------------------------------------------- *** IBM Security Bulletin: A security vulnerability has been identified in Red Hat Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) (CVE-2017-6462 CVE-2017-6463 CVE-2017-6464) *** http://www-01.ibm.com/support/docview.wss?uid=isg3T1025209 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDKs affect IBM Virtualization Engine TS7700 - January 2017 *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010245 --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in libxml2 and zlib affect IBM Virtual Fabric 10Gb Switch Module *** http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-50… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru, QLogic 8Gb Intelligent Pass-thru Module & SAN Switch Module for BladeCenter and QLogic Virtual Fabric Extension Module for IBM *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… ---------------------------------------------

1 0

Tageszusammenfassung - Freitag 26-05-2017
by Daily end-of-shift report 26 May '17

26 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 24-05-2017 18:00 − Freitag 26-05-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a *** Reflections on reflection (attacks) *** --------------------------------------------- Recently Akamai published an article about CLDAP reflection attacks. This got us thinking. We saw attacks from Conectionless LDAP servers back in November 2016 but totally ignored them because our systems were automatically dropping the attack .. --------------------------------------------- https://blog.cloudflare.com/reflections-on-reflections/ *** Cloak & Dagger *** --------------------------------------------- Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity. These attacks .. --------------------------------------------- http://cloak-and-dagger.org/ *** Trump’s Dumps: ‘Making Dumps Great Again’ *** --------------------------------------------- Its not uncommon for crooks who peddle stolen credit cards to seize on iconic American figures of wealth and power in the digital advertisements for these shops that run continuously on various .. --------------------------------------------- https://krebsonsecurity.com/2017/05/trumps-dumps-making-dumps-great-again/ *** Österreichs Unternehmen sind bei IT-Sicherheit Nachzügler *** --------------------------------------------- Investitionen in die Sicherheit als Chance verstehen --------------------------------------------- http://derstandard.at/2000058280565 *** 83% of Security Pros Waste Time Fixing Co-Workers Non-Security Problems *** --------------------------------------------- Security personnel in many organizations waste time every week helping co-workers with general IT problems, rather than doing their own work, which in the long run, .. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/83-percent-of-security-pro… *** Schwere Sicherheitslücke in Samba gefunden *** --------------------------------------------- Exploits bereits im Netz – Updates sollten rasch eingespielt werden --------------------------------------------- http://derstandard.at/2000058287863 *** DSA-3863 imagemagick - security update *** --------------------------------------------- This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3863 *** DSA-3862 puppet - security update *** --------------------------------------------- It was discovered that unrestricted YAML deserialisation of data sent from agents to the server in the Puppet configuration management .. --------------------------------------------- https://www.debian.org/security/2017/dsa-3862 *** Manipulierte Webseiten legen Windows lahm *** --------------------------------------------- Problem mit Dateinamen verlangsamt System bis zum Stillstand – Windows 7, 8 und Vista betroffen --------------------------------------------- http://derstandard.at/2000058292526 *** Tanze (aktualisierten) Samba mit mir *** --------------------------------------------- Die Erinnerung an CVE-2017-0144, und die Auswirkungen von WannaCry, ist bei uns allen noch frisch im Gedächtnis verankert, und damit keine Langeweile aufkommt, hat Samba nun ein Advisory bezüglich einer kritischen Schwachstelle veröffentlicht: All versions of Samba .. --------------------------------------------- http://www.cert.at/services/blog/20170526134531-2020.html *** FileZilla FTP Client Adds Support for Master Password That Encrypts Your Logins *** --------------------------------------------- Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password .. --------------------------------------------- https://www.bleepingcomputer.com/news/software/filezilla-ftp-client-adds-su…

1 0

Tageszusammenfassung - Mittwoch 24-05-2017
by Daily end-of-shift report 24 May '17

24 May '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 23-05-2017 18:00 − Mittwoch 24-05-2017 18:00 Handler: Robert Waldner Co-Handler: n/a *** FIRST releases version 1.1 of the CSIRT Services Framework *** --------------------------------------------- The leading association of incident response and security teams released a new version of its CSIRT Services Framework. This is a formal list of services a Computer Security Incident Response Team (CSIRT) may consider implementing to address the needs of their constituency. --------------------------------------------- https://www.first.org/newsroom/releases/20170524 *** B. Braun Medical SpaceCom Open Redirect Vulnerability *** --------------------------------------------- This advisory was originally posted to the NCCIC Portal on March 23, 2017, and is being released to the ICS-CERT web site. This advisory contains mitigation details for an open redirect vulnerability in B. Braun Medical's SpaceCom module, which is integrated into the SpaceStation docking station. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-02 *** Trend Micro ServerProtect for Linux Multiple Bugs Let Remote Users Execute Arbitrary Code and Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks and Let Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1038548 *** OpenVPN Access Server Input Validation Flaw Lets Remote Users Conduct Session Fixation Attacks to Hijack a Target Users Session *** --------------------------------------------- A remote user can create a specially crafted URL containing the '%0A' character that, when loaded by the target user prior to authentication, will inject headers and set the session cookie to a specified value. After the target user authenticates to the target OpenVPN Access Server, the remote user can hijack the target user's session. --------------------------------------------- http://www.securitytracker.com/id/1038547 *** DFN-CERT-2017-0901/">Puppet, Puppet Enterprise: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes *** --------------------------------------------- Betroffene Software Puppet < 4.10.1 Puppet Enterprise < 2016.4.5 Puppet Enterprise < 2017.2.1 --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0901/ *** [Announce] Samba 4.6.4, 4.5.10 and 4.4.14 Available for Download *** --------------------------------------------- CVE-2017-7494: All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. --------------------------------------------- https://lists.samba.org/archive/samba-announce/2017/000406.html *** Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones *** --------------------------------------------- There is Factory Reset Protection (FRP) bypass security vulnerability in some Huawei smart phones. When re-configuring the mobile phone using the factory reset protection (FRP) function, an attacker can perform some operations to update the Google account. As a result, the FRP function is bypassed. (Vulnerability ID: HWPSIRT-2017-02036). This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-2710. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170524-… *** Jaff ransomware gets a makeover *** --------------------------------------------- With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now. --------------------------------------------- https://isc.sans.edu/diary/Jaff+ransomware+gets+a+makeover/22446 *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Security Guardium Data Redaction. . *** http://www-01.ibm.com/support/docview.wss?uid=swg22003466 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management generates error messages that could reveal sensitive information that could be used in further attacks against the system (CVE-2017-1292) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003414 --------------------------------------------- *** IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to HTTP response splitting attacks (CVE-2017-1291) *** http://www.ibm.com/support/docview.wss?uid=swg22003413 --------------------------------------------- *** IBM Security Bulletin: Fix Available for IBM iNotes Cross-Site Scripting Vulnerability (CVE-2017-1325) *** http://www-01.ibm.com/support/docview.wss?uid=swg22003497 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Notes *** http://www-01.ibm.com/support/docview.wss?uid=swg22000602 --------------------------------------------- *** IBM Security Bulletin: Multiple Vulnerabilities in the IBM SDK Java Technology Edition affect IBM Domino *** http://www-01.ibm.com/support/docview.wss?uid=swg22000516 ---------------------------------------------

1 0

Tageszusammenfassung - Dienstag 23-05-2017
by Daily end-of-shift report 23 May '17

23 May '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 22-05-2017 18:00 − Dienstag 23-05-2017 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter *** EU security think tank ENISA looks for IoT security, cant find any *** --------------------------------------------- Proposes baseline security spec, plus stickers to prove thing-makers have complied European network and infosec agency ENISA has taken a look at Internet of Things security, and doesnt much like what it sees. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/05/23/enisa_propo… *** Biometrie: Iris-Scanner des Galaxy S8 kann einfach manipuliert werden *** --------------------------------------------- Schon wieder zeigt sich: Biometrische Merkmale sind praktisch zum Entsperren von Geräten - sicher sind sie hingegen nicht. Ein Hacker hat gezeigt, dass sich der Irisscanner des Galaxy S8 von Samsung mit einem einfachen Foto und einer Kontaktlinse austricksen lässt. --------------------------------------------- https://www.golem.de/news/biometrie-iris-scanner-des-galaxy-s8-kann-einfach… *** Preloading in Internet Explorer 11 sends complete browsing history to Microsoft *** --------------------------------------------- Your entire browsing history will periodically be sent to Microsoft. The data sent includes all addresses you visit and when you visited them (derived from that is also how long you spent on each page), and the address of the page that referred you to each page. --------------------------------------------- https://ctrl.blog/entry/ie11-flip-out-privacy *** Windows 10 UAC Bypass Uses "Apps & Features" Utility *** --------------------------------------------- Malware authors have a new UAC bypass technique at their disposal that they can use to install malicious apps on devices running Windows 10. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-uac-bypass-uses-a… *** Hackers can use subtitles to take over millions of devices running VLC, Kodi, Popcorn Time and Stremio *** --------------------------------------------- Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/23/subtitle-hack/ *** [2017-05-23] Arbitrary File Upload & Stored XSS in InvoicePlane *** --------------------------------------------- Multiple high risk vulnerabilities, such as arbitrary file upload and stored cross site-scripting, within the InvoicePlane software allow an attacker to compromise the affected server. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** BIG-IP Azure cloud vulnerability CVE-2017-6131 *** --------------------------------------------- BIG-IP Azure cloud vulnerability CVE-2017-6131. Security Advisory. Security Advisory Description. In some circumstances ... --------------------------------------------- https://support.f5.com/csp/article/K61757346 *** Cisco Integrated Management Controller Remote Code Execution Vulnerability *** --------------------------------------------- A vulnerability in the web-based GUI of Cisco Integrated Management Controller (CIMC) could allow an unauthenticated, remote attacker to perform unauthorized remote command execution on the affected device.The vulnerability exists because the affected software does not sufficiently sanitize specific values that are received as part of a user-supplied HTTP request. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected software. Successful exploitation... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** Cisco Integrated Management Controller Privilege Escalation Vulnerability *** --------------------------------------------- A vulnerability in the web-based GUI of Cisco Integrated Management Controller (CIMC) could allow an authenticated, remote attacker to elevate the privileges of user accounts on the affected device.The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected device. Successful exploitation could allow an authenticated attacker to elevate the privileges of user accounts configured on the device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in NTP affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in xorg-x11-libX11 affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in cURL affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect MegaRAID Storage Manager *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5… --------------------------------------------- *** IBM Security Bulletin: Vulnerabilities in tcpdump affect IBM Flex System Chassis Management Module (CMM) *** https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-5… --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Web Experience Factory *** http://www.ibm.com/support/docview.wss?uid=swg22003695 --------------------------------------------- *** IBM Security Bulletin: Directory Traversal vulnerabilities impact IBM Network Advisor. *** http://www.ibm.com/support/docview.wss?uid=ssg1S1009700 --------------------------------------------- *** IBM Security Bulletin: Rational DOORS Web Access is affected by Apache Tomcat vulnerability (CVE-2016-6816) *** http://www.ibm.com/support/docview.wss?uid=swg22003660 --------------------------------------------- *** IBM Security Bulletin: Open Source cURL Libcurl, used by BigFix Platform, has security vulnerabilities (CVE-2016-8617 CVE-2016-8624 CVE-2016-8621) *** http://www-01.ibm.com/support/docview.wss?uid=swg22001818 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager (CVE-2016-5597, CVE-2016-5554) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002446 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Access Manager for e-business and IBM Security Access Manager for Web (CVE-2016-5597, CVE-2016-5554) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002445 ---------------------------------------------

1 0

Tageszusammenfassung - Montag 22-05-2017
by Daily end-of-shift report 22 May '17

22 May '17

======================= = End-of-Shift report = ======================= Timeframe: Freitag 19-05-2017 18:00 − Montag 22-05-2017 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Terror Exploit Kit Evolves Into Larger Threat *** --------------------------------------------- The Terror exploit kit has matured into a greater threat and carefully crafts attacks based on a users browser environment. --------------------------------------------- http://threatpost.com/terror-exploit-kit-evolves-into-larger-threat/125816/ *** DSA-3859 dropbear - security update *** --------------------------------------------- https://www.debian.org/security/2017/dsa-3859 *** DSA-3858 openjdk-7 - security update *** --------------------------------------------- Several vulnerabilities have been discovered in OpenJDK, animplementation of the Oracle Java platform, resulting in privilege escalation, denial of service, newline injection in SMTP or use of insecure cryptography. --------------------------------------------- https://www.debian.org/security/2017/dsa-3858 *** WannaCry: Fast nur Windows-7-PCs infiziert *** --------------------------------------------- Mehr als 98 Prozent aller mit WannaCry infizierten PCs laufen nach Zahlen von Kaspersky Lab unter Windows 7. --------------------------------------------- https://heise.de/-3719145 *** Nordkorea unterhält offenbar Spezialeinheit für Cyberangriffe auf Banken *** --------------------------------------------- Soll angeblich hauptsächlich Devisen beschaffen --------------------------------------------- http://derstandard.at/2000058034871 *** Netgear fixes router by adding phone-home features that record your IP and MAC address *** --------------------------------------------- Yeah, that'll be secure for sure Netgear NightHawk R7000 users who ran last weeks firmware upgrade need to check their settings, because the company added a remote data collection feature to the units. --------------------------------------------- www.theregister.co.uk/2017/05/21/netgear_updates_router_with_phone_home_fea… *** "Athena": Mächtiges CIA-Tool knackt alle Windows-Versionen seit XP *** --------------------------------------------- Wikileaks publiziert Dokumente - Umfassende Überwachungsmöglichkeiten, Malware kann auch Daten löschen --------------------------------------------- http://derstandard.at/2000058071298 *** IT threat evolution Q1 2017. Statistics *** --------------------------------------------- According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world. File antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects. --------------------------------------------- http://securelist.com/analysis/quarterly-malware-reports/78475/it-threat-ev… *** Operation "Porto": 159 Dealer im Darknet ausgeforscht *** --------------------------------------------- Ermittlungsverfahren gegen 697 Personen - 35 kg Suchtgift sowie 4.500 Tabletten sichergestellt --------------------------------------------- http://derstandard.at/2000058084813 *** Achtung, Abzocke: Microsoft warnt erneut vor betrügerischen Anrufen *** --------------------------------------------- Mit angeblichen Support-Anrufen von Unternehmen wie Microsoft oder Dell versuchen Betrüger, PC-Besitzer abzuzocken. Trotz einiger Erfolge der Ermittler bleibt das Problem virulent. --------------------------------------------- https://heise.de/-3720168 *** The Problem with OCSP Stapling and Must Staple and why Certificate Revocation is still broken *** --------------------------------------------- Today the OCSP servers from Let's Encrypt were offline for a while. This has caused far more trouble than it should have, because in theory we have all the technologies available to handle such an incident. However due to failures in how they are implemented they don't really work. --------------------------------------------- https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must… *** Was die Datenschutzverordnung bringt: Sammelklagen, Beauftragte *** --------------------------------------------- Nutzer können ab Mai 2018 ihre Rechte leichter durchsetzen, sagt IT-Anwalt Lukas Feiler --------------------------------------------- http://derstandard.at/2000058102109 *** Yahoo schmeisst ImageMagick nach Sicherheitslücke aus eigenem Webmail-Code *** --------------------------------------------- Durch die Schwachstelle konnten Angreifer Speicherinhalte der Yahoo-Server auslesen und so die E-Mail-Anhänge anderer Nutzer ausspionieren. Yahoo schloss die Lücke innerhalb eines selbstverordneten 90-Tage-Ultimatums. --------------------------------------------- https://heise.de/-3720803

1 0

Tageszusammenfassung - Freitag 19-05-2017
by Daily end-of-shift report 19 May '17

19 May '17

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 18-05-2017 18:00 − Freitag 19-05-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** How did the WannaCry Ransomworm spread? *** --------------------------------------------- Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. How did it all happen? --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomwor… *** Who's responsible for fixing SS7 security issues? *** --------------------------------------------- The WannaCry ransomware onslaught has overshadowed some of the other notable happenings this month, including the spectacular Google-themed phishing/spamming attack, and the news that attackers have managed to exploit vulnerabilities in the SS7 protocol suite to bypass German banks' two-factor authentication and drain their customers' bank accounts. According to the reports, the attackers were able to pull this scheme off by gaining access to the network of a foreign mobile network [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/05/19/ss7-security-issues/ *** Number of HTTPS phishing sites triples *** --------------------------------------------- When, in January 2017, Mozilla and Google made Firefox and Chrome flag HTTP login pages as insecure, the intent was to make phishing pages easier to recognize, as well as push more website owners towards deploying HTTPS. But while the latter aim was achieved, and the number of phishing sites making use of HTTPS has increased noticeably, the move also had one unintended consequence: the number of phishing sites with HTTPS has increased, too. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/19/number-https-phishing-sites-trip… *** Hintergrund: Chrome blockt ab sofort Zertifikate mit Common Name *** --------------------------------------------- Wenn der seit Jahren etablierte, hauseigene Dienst plötzlich den HTTPS-Zugang verwehrt, liegt das vermutlich an einer Neuerung der aktuellen Chrome-Version: Google erzwingt den Einsatz der RFC-konformen "Subject Alt Names" und viele Admins müssen deshalb jetzt Hand anlegen. --------------------------------------------- https://heise.de/-3717594 *** Bypassing Application Whitelisting with BGInfo *** --------------------------------------------- TL;DR: BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server. --------------------------------------------- https://msitpros.com/?p=3831 *** "Four Keys to Effective ICS Incident Response" *** --------------------------------------------- While incident response in Information Technology (IT) and Operational Technology (OT) or Industrial Control Systems (ICS) may appear to be very similar, incident response in an ICS environment has different considerations and priorities. Many organizations leverage their existing IT incident response capabilities in an OT environment which may not be ideal for successful incident response [...] --------------------------------------------- http://ics.sans.org/blog/2017/05/19/four-keys-to-effective-ics-incident-res… *** ETERNALBLUE vs Internet Security Suites and nextgen protections *** --------------------------------------------- Due to the recent #wannacry ransomware events, we initiated a quick test in our lab. Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010). Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)! --------------------------------------------- https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nex… *** Forensik-Tool soll gelöschte Notizen aus iCloud auslesen können *** --------------------------------------------- Der Softwareanbieter Elcomsoft hat seine App "Phone Breaker" um eine Funktion erweitert, die den Umstand ausnutzt, dass Apple offenbar auch vom Nutzer eigentlich vernichtete Notizen länger aufbewahrt. --------------------------------------------- https://heise.de/-3718361 *** MS17-010 (Ransomware WannaCry) Impact to Cisco Products *** --------------------------------------------- The Cisco PSIRT Team is continuing to investigate the impact of this vulnerability on Cisco products that have not reached end of software maintenance support and that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. Investigation is expected to be completed by Friday, May 19th. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco… *** HPESBGN03748 rev.1 - HPE Cloud Optimizer, Remote Disclosure of Information *** --------------------------------------------- A potential security vulnerability has been identified in HPE Cloud Optimizer. The vulnerability could be remotely exploited resulting in disclosure of information. --------------------------------------------- https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn037… *** Bugtraq: Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages *** --------------------------------------------- http://www.securityfocus.com/archive/1/540569 *** DSA-3855 jbig2dec - security update *** --------------------------------------------- Multiple security issues have been found in the JBIG2 decoder library,which may lead to denial of service, disclosure of sensitive informationfrom process memory or the execution of arbitrary code if a malformedimage file (usually embedded in a PDF document) is opened. --------------------------------------------- https://www.debian.org/security/2017/dsa-3855 *** Indicators Associated With WannaCry Ransomware (Update C) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01B Indicators Associated With WannaCry Ransomware that was published May 17, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01C *** McAfee Network Data Loss Prevention Multiple Bugs Let Remote Users Conduct Session Hijacking and Cross-Site Scripting Attacks and Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1038523 *** VMSA-2017-0009 *** --------------------------------------------- VMware Workstation update addresses multiple security issues --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0009.html *** DFN-CERT-2017-0885: Red Hat JBoss Enterprise Application Platform, RESTEasy: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-0885/ *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2125, CVE-2016-2126) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010052 --------------------------------------------- *** IBM Security Bulletin: IBM Cisco Switches and Directors vulnerable to Sweet32 Birthday attacks (CVE-2016-2183 CVE-2016-6329). *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010239 --------------------------------------------- *** IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability *** http://www-01.ibm.com/support/docview.wss?uid=swg22002356 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in Network Security Services (NSS) component affect SAN Volume Controller, Storwize family and FlashSystem V9000 products. *** http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010118 --------------------------------------------- *** IBM Security Bulletin: Open redirect vulnerability in IBM Business Process Manager (CVE-2017-1159) *** http://www-01.ibm.com/support/docview.wss?uid=swg22000253 --------------------------------------------- *** IBM Security Bulletin: Vulnerability in OpenSSL affect IBM SONAS (CVE-2017-3731) *** http://www.ibm.com/support/docview.wss?uid=ssg1S1010136 ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 18-05-2017
by Daily end-of-shift report 18 May '17

18 May '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 17-05-2017 18:00 − Donnerstag 18-05-2017 18:00 Handler: Stephan Richter Co-Handler: Alexander Riepl *** Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048 *** --------------------------------------------- This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value .. --------------------------------------------- https://www.drupal.org/node/2879177 *** 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3 *** --------------------------------------------- Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates. This scenario may affect customers who installed .. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/4022345 *** iPrint Appliance 2.0 Patch 5 *** --------------------------------------------- iPrint Appliance 2.0 Patch 5 includes bug fixes, security fixes and a consolidation of previously released patches and hot patches for the iPrint Appliance 2.0. --------------------------------------------- https://download.novell.com/Download?buildid=nKiTte1j9yM~ *** iPrint Appliance 2.1 Patch 3 *** --------------------------------------------- iPrint Appliance 2.1 Patch 3 is a cumulative patch including fixes from all the previous 2.1 patches and hot fixes. --------------------------------------------- https://download.novell.com/Download?buildid=4QmSWkUlwrA~ *** Indicators Associated With WannaCry Ransomware (Update B) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01A Indicators Associated With WannaCry Ransomware that was published May 16, 2017, on the NCCIC/ICS-CERT web site. --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01B *** My Little CVE Bot *** --------------------------------------------- The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement .. --------------------------------------------- https://isc.sans.edu/diary.html?storyid=22432 *** Handbrake-Trojaner: Quellcode des Mac-Entwicklerstudios Panic entwendet *** --------------------------------------------- Die auf Mac-Nutzer abzielene Malware “Proton” hat ein erstes prominentes Opfer gefordert: Unbekannte klauten den Quelltext zu mehreren Apps des Entwicklerstudios Panic. Kundendaten sind nicht betroffen, betont das Unternehmen. --------------------------------------------- https://heise.de/-3716479 *** Why the most successful Retefe spam campaign never paid off *** --------------------------------------------- Switzerland is one of the main targets of the Retefe banking trojan since its first appearance in November 2013. At .. --------------------------------------------- https://securityblog.switch.ch/2017/05/18/why-the-most-successful-retefe-sp… *** SSB-412479 (Last Update 2017-05-17): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479… *** [2017-05-18] Multiple critical vulnerabilities in Western Digital TV Media Player *** --------------------------------------------- Multiple critical vulnerabilities, such as unauthenticated arbitrary file upload or local file inclusion, within the WDTV Media Player devices allow an attacker to take over the device over the network. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… *** Security Alert: BlueDoom Worm Caught Spreading through EternalBlue, Integrates Batch of Leaked NSA Exploits *** --------------------------------------------- Unfortunately for users who haven’t patched their systems yet after the WannaCry ransomware campaign, there has been an increase in attempts to abuse the EternalBlue exploit in the past few .. --------------------------------------------- https://heimdalsecurity.com/blog/bluedoom-worm-eternablue-nsa-exploits/ *** ATM Black Box attacks: 27 arrested all over Europe *** --------------------------------------------- The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM Black Box attacks across .. --------------------------------------------- https://www.helpnetsecurity.com/2017/05/18/black-box-attacks/ *** 22 Cisco Security Advisories 2017-05-17 *** --------------------------------------------- 1 Critical, 3 High, 18 Medium --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily